@synergenius/flow-weaver 0.26.4 → 0.26.6

package/dist/agent/cli-session.d.ts

@@ -60,14 +60,31 @@ export declare class CliSession {
      * to prevent TOCTOU races.
      */
     send(userMessage: string, systemPromptPrefix?: string): AsyncGenerator<StreamEvent>;
+    /** Whether a send() call is currently active. */
+    get hasActiveTurn(): boolean;
     /**
      * Kill the CLI process.
      */
     kill(): void;
+    /** Callback for session kill events — wire to audit logging. */
+    private _onSessionKilled?;
+    /** Register a callback that fires when this session is killed. */
+    set onSessionKilled(cb: ((info: {
+        sessionId: string;
+        hadActiveTurn: boolean;
+        eventsInTurn: number;
+    }) => void) | undefined);
     /**
      * Compute a fingerprint of CLI-relevant options for cache comparison.
      * Field order is significant for JSON.stringify comparison.
      * Add new CLI-relevant fields here when they're added to CliSessionOptions.
+     *
+     * NOTE: mcpConfigPath is EXCLUDED. It's an ephemeral temp path that changes
+     * on every createMcpBridge() call. Including it causes fingerprint mismatches
+     * that kill active sessions mid-turn when a second provider is created for
+     * the same project (e.g., orchestrator + worker sharing the same projectDir).
+     * The MCP bridge is swapped per-request via setHandlers() — the config path
+     * is only needed at spawn time, not for session identity.
      */
     private static fingerprint;
     private pushEvent;
@@ -81,6 +98,13 @@ export declare class CliSession {
  * Get an existing session or create a new one.
  * Phase 1.4: Validates that cached sessions have matching CLI-relevant options.
  * If options changed on the same key, the old session is killed and recreated.
+ *
+ * SAFETY: Refuses to kill a session with an active turn. This prevents data
+ * loss when multiple providers share the same session key (e.g., orchestrator
+ * and worker both using projectDir as key). If the fingerprint doesn't match
+ * but the session has an active turn, we return the existing session and log
+ * a warning — better to reuse a session with slightly different options than
+ * to kill an active conversation and lose costUsd/result data.
  */
 export declare function getOrCreateCliSession(key: string, options: CliSessionOptions): CliSession;
 /**

package/dist/agent/cli-session.js

@@ -20,9 +20,20 @@
  * 4. The CLI uses NDJSON for MCP stdio transport (not Content-Length framing).
  */
 import { randomUUID } from 'node:crypto';
+import { readFileSync } from 'node:fs';
+import { resolve, dirname } from 'node:path';
 import { spawn as nodeSpawn } from 'node:child_process';
+import { fileURLToPath } from 'node:url';
 import { StreamJsonParser } from './streaming.js';
 const DEFAULT_IDLE_TIMEOUT_MS = 10 * 60 * 1000; // 10 minutes
+// Package version included in session fingerprint so cached sessions
+// auto-invalidate when the core is updated (e.g. npm update).
+let CORE_VERSION = 'unknown';
+try {
+    const pkgPath = resolve(dirname(fileURLToPath(import.meta.url)), '../../package.json');
+    CORE_VERSION = JSON.parse(readFileSync(pkgPath, 'utf-8')).version;
+}
+catch { /* non-fatal */ }
 export class CliSession {
     sessionId = randomUUID();
     child = null;
@@ -246,14 +257,31 @@ export class CliSession {
             }
         }
         finally {
+            // Log how the turn ended for debugging cost/result event issues.
+            // If turn.done is false here, the generator was abandoned by the consumer
+            // (e.g., for-await broke out) before completeTurn/markDead fired.
+            // This means the result event hasn't been processed yet, and any
+            // subsequent stdout data (including the result) will be silently dropped
+            // because activeTurn is about to be set to null.
+            if (!turn.done) {
+                process.stderr.write(`\x1b[33m  ⚠ CliSession: generator abandoned before turn.done (events=${turn.events.length}). Result event will be lost.\x1b[0m\n`);
+            }
             this.activeTurn = null;
             this.resetIdleTimer();
         }
     }
+    /** Whether a send() call is currently active. */
+    get hasActiveTurn() {
+        return this.activeTurn !== null && !this.activeTurn.done;
+    }
     /**
      * Kill the CLI process.
      */
     kill() {
+        if (this.hasActiveTurn) {
+            process.stderr.write(`\x1b[31m  ✗ CliSession.kill() called with active turn — data loss will occur (session=${this.sessionId.slice(0, 8)})\x1b[0m\n`);
+            this._onSessionKilled?.({ sessionId: this.sessionId, hadActiveTurn: true, eventsInTurn: this.activeTurn.events.length });
+        }
         this.clearIdleTimer();
         if (this.child && this.alive) {
             this.log?.info('Killing CLI session', { sessionId: this.sessionId });
@@ -268,6 +296,12 @@ export class CliSession {
         }
         this.markDead();
     }
+    /** Callback for session kill events — wire to audit logging. */
+    _onSessionKilled;
+    /** Register a callback that fires when this session is killed. */
+    set onSessionKilled(cb) {
+        this._onSessionKilled = cb;
+    }
     // ---------------------------------------------------------------------------
     // Private
     // ---------------------------------------------------------------------------
@@ -275,11 +309,19 @@ export class CliSession {
      * Compute a fingerprint of CLI-relevant options for cache comparison.
      * Field order is significant for JSON.stringify comparison.
      * Add new CLI-relevant fields here when they're added to CliSessionOptions.
+     *
+     * NOTE: mcpConfigPath is EXCLUDED. It's an ephemeral temp path that changes
+     * on every createMcpBridge() call. Including it causes fingerprint mismatches
+     * that kill active sessions mid-turn when a second provider is created for
+     * the same project (e.g., orchestrator + worker sharing the same projectDir).
+     * The MCP bridge is swapped per-request via setHandlers() — the config path
+     * is only needed at spawn time, not for session identity.
      */
     static fingerprint(options) {
         return JSON.stringify({
+            _coreVersion: CORE_VERSION, // auto-invalidate cache on core update
             model: options.model,
-            mcpConfigPath: options.mcpConfigPath,
+            // mcpConfigPath deliberately excluded — see comment above
             strictMcpConfig: options.strictMcpConfig,
             disallowedTools: options.disallowedTools,
             tools: options.tools,
@@ -306,6 +348,26 @@ export class CliSession {
         this.cleanupFn?.();
         this.cleanupFn = null;
         if (this.activeTurn && !this.activeTurn.done) {
+            // KNOWN ISSUE: On long orchestrator runs (many MCP tool calls), the CLI
+            // process can die before emitting the `result` event. This means:
+            // - costUsd from total_cost_usd is lost (stays 0)
+            // - cacheReadTokens / cacheCreationTokens are lost
+            // - The turn ends via markDead instead of completeTurn
+            // When this happens, consumers should fall back to cost-update events
+            // from the global usage callback for accurate cost tracking.
+            // See: project_costUsd_bench_issue.md in memory for full investigation.
+            const eventCount = this.activeTurn.events.length;
+            const hasResult = this.activeTurn.events.some((e) => e.type === 'usage' && e.costUsd != null);
+            if (!hasResult) {
+                const lastStderr = this.stderrBuf.slice(-500);
+                this.log?.warn('CLI session died before result event — costUsd will be 0', {
+                    sessionId: this.sessionId,
+                    eventsInTurn: eventCount,
+                    lastStderr: lastStderr || '(empty)',
+                });
+                // Always log to stderr so it's visible in bench output
+                process.stderr.write(`\x1b[33m  ⚠ CLI session died before result event (${eventCount} events buffered). costUsd will be 0. stderr: ${lastStderr.slice(0, 200)}\x1b[0m\n`);
+            }
             if (!this.activeTurn.events.some((e) => e.type === 'message_stop')) {
                 this.activeTurn.events.push({ type: 'message_stop', finishReason: 'error' });
             }
@@ -345,6 +407,13 @@ const sessions = new Map();
  * Get an existing session or create a new one.
  * Phase 1.4: Validates that cached sessions have matching CLI-relevant options.
  * If options changed on the same key, the old session is killed and recreated.
+ *
+ * SAFETY: Refuses to kill a session with an active turn. This prevents data
+ * loss when multiple providers share the same session key (e.g., orchestrator
+ * and worker both using projectDir as key). If the fingerprint doesn't match
+ * but the session has an active turn, we return the existing session and log
+ * a warning — better to reuse a session with slightly different options than
+ * to kill an active conversation and lose costUsd/result data.
  */
 export function getOrCreateCliSession(key, options) {
     const existing = sessions.get(key);
@@ -353,7 +422,13 @@ export function getOrCreateCliSession(key, options) {
         if (existing.matchesOptions(options)) {
             return existing;
         }
-        // Options changed — kill old session and recreate
+        // Options changed — but REFUSE to kill if there's an active turn
+        if (existing.hasActiveTurn) {
+            process.stderr.write(`\x1b[33m  ⚠ getOrCreateCliSession: fingerprint mismatch on key "${key}" but session has active turn — reusing existing session to prevent data loss\x1b[0m\n`);
+            return existing;
+        }
+        // No active turn — safe to kill and recreate
+        process.stderr.write(`\x1b[2m  [session-cache] killing session for key "${key}" — fingerprint changed\x1b[0m\n`);
         existing.kill();
         sessions.delete(key);
     }

package/dist/cli/flow-weaver.mjs

@@ -9886,7 +9886,7 @@ var VERSION;
 var init_generated_version = __esm({
   "src/generated-version.ts"() {
     "use strict";
-    VERSION = "0.26.4";
+    VERSION = "0.26.6";
   }
 });
 
@@ -95973,7 +95973,7 @@ function parseIntStrict(value) {
 // src/cli/index.ts
 init_logger();
 init_error_utils();
-var version2 = true ? "0.26.4" : "0.0.0-dev";
+var version2 = true ? "0.26.6" : "0.0.0-dev";
 var program2 = new Command();
 program2.name("fw").description("Flow Weaver Annotations - Compile and validate workflow files").option("-v, --version", "Output the current version").option("--no-color", "Disable colors").option("--color", "Force colors").on("option:version", () => {
   logger.banner(version2);

package/dist/generated-version.d.ts

@@ -1,2 +1,2 @@
-export declare const VERSION = "0.26.4";
+export declare const VERSION = "0.26.6";
 //# sourceMappingURL=generated-version.d.ts.map

package/dist/generated-version.js

@@ -1,3 +1,3 @@
 // Auto-generated by scripts/generate-version.ts — do not edit manually
-export const VERSION = '0.26.4';
+export const VERSION = '0.26.6';
 //# sourceMappingURL=generated-version.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@synergenius/flow-weaver",
-  "version": "0.26.4",
+  "version": "0.26.6",
   "description": "Deterministic workflow compiler for AI agents. Compiles to standalone TypeScript, no runtime dependencies.",
   "private": false,
   "type": "module",