@telora/daemon 0.17.53 → 0.17.59

package/dist/spawn-sandbox.js

@@ -0,0 +1,210 @@
+/**
+ * OS sandbox for spawned agents -- "make the worktree boundary true" (D3).
+ *
+ * The daemon spawns agents with --dangerously-skip-permissions /
+ * --dangerously-bypass-approvals-and-sandbox. The ONLY isolation around such a
+ * spawn used to be a git worktree, which bounds the git branch but NOT the OS:
+ * the agent could read sibling repos, the operator's home, SSH/cloud creds, and
+ * reach the network freely. This module wraps the spawn command in an OS
+ * sandbox (bubblewrap on Linux) so the agent's filesystem is confined to its
+ * worktree plus an explicit read-only allowlist (toolchain + model-auth config),
+ * with privileged capabilities and namespaces dropped.
+ *
+ * Posture (see docs/security-posture-daemon-execution.md):
+ * - FILESYSTEM confinement + capability/namespace isolation are ENFORCED by bwrap.
+ * - OUTBOUND EGRESS allowlisting is NOT enforced here (bubblewrap has no L3/L7
+ *   egress filter); it is a documented residual gap. Network is shared so the
+ *   agent can still reach the Telora API / git / registries / model API.
+ *
+ * FAIL-CLOSED: an EXPLICIT 'bwrap' mode whose sandbox cannot initialize REFUSES
+ * the spawn (throws SandboxUnavailableError) rather than running unconfined.
+ *
+ * DEFAULT is 'off' (see resolveSandboxMode): auto-enabling a sandbox whose
+ * per-host read-bind set has not been validated could break real spawns, so
+ * operators opt in to 'bwrap' after the per-host validation in
+ * docs/runbook-daemon-service-user.md. On Linux with bwrap present we log a
+ * recommendation to enable it.
+ *
+ * Pure command construction (buildSandboxCommand) takes injected deps so it is
+ * unit-testable without a real bubblewrap.
+ */
+import { existsSync } from 'node:fs';
+import { join, isAbsolute } from 'node:path';
+import { healthEvents } from '@telora/daemon-core';
+/** Thrown when an explicitly-required sandbox cannot initialize (fail-closed). */
+export class SandboxUnavailableError extends Error {
+    constructor(detail) {
+        super(`Sandbox required but unavailable -- refusing spawn (fail-closed). ${detail}`);
+        this.name = 'SandboxUnavailableError';
+    }
+}
+/** Default bubblewrap executable name (overridable via deps for tests). */
+export const BWRAP_COMMAND = 'bwrap';
+/** Return true if an executable name/path exists on the host PATH. */
+export function commandOnPath(command, env = process.env) {
+    if (isAbsolute(command) || command.includes('/'))
+        return existsSync(command);
+    const pathEnv = env.PATH ?? '';
+    return pathEnv.split(':').filter(Boolean).some((dir) => existsSync(join(dir, command)));
+}
+/** Is bubblewrap available on this host? */
+export function isBwrapAvailable(deps = {}) {
+    const cmd = deps.bwrapCommand ?? BWRAP_COMMAND;
+    const exists = deps.commandExists ?? ((c) => commandOnPath(c));
+    return exists(cmd);
+}
+/**
+ * Resolve the effective sandbox mode.
+ *
+ * - explicit config.sandbox.mode wins (and is honored even if unavailable --
+ *   buildSandboxCommand then fail-closes).
+ * - unset + darwin => 'off' (dev; bwrap is Linux-only).
+ * - unset + linux  => 'off' (safe default), with a warning health event emitted
+ *   when bwrap is available. Operators opt in explicitly after per-host validation
+ *   -- see docs/runbook-daemon-service-user.md.
+ */
+export function resolveSandboxMode(sandbox, deps = {}) {
+    if (sandbox?.mode)
+        return sandbox.mode;
+    const platform = deps.platform ?? process.platform;
+    if (platform !== 'linux')
+        return 'off';
+    const available = deps.bwrapAvailable ?? isBwrapAvailable();
+    if (available) {
+        const message = 'bubblewrap is available but the spawn sandbox is OFF (default). ' +
+            'Enable filesystem confinement by setting sandbox.mode="bwrap" in daemon.json ' +
+            'after validating per-host read-binds -- see docs/runbook-daemon-service-user.md.';
+        if (deps.logRecommendation) {
+            deps.logRecommendation(message);
+        }
+        else {
+            healthEvents.emit({
+                severity: 'warn',
+                source: 'spawn-sandbox',
+                code: 'sandbox.off_bwrap_available',
+                message,
+            });
+        }
+    }
+    return 'off';
+}
+/**
+ * Build the (possibly sandbox-wrapped) command + args for a spawn.
+ *
+ * mode 'off'   -> returns the inner command unchanged and emits a loud
+ *                 "running unconfined" signal (the spawn has the daemon user's
+ *                 full authority).
+ * mode 'bwrap' -> if bwrap is unavailable, THROWS SandboxUnavailableError
+ *                 (fail-closed); otherwise returns a bwrap invocation that binds
+ *                 the worktree read-write, the readOnlyPaths read-only, system
+ *                 dirs read-only, and drops privileged namespaces.
+ */
+export function buildSandboxCommand(opts) {
+    const { command, args, policy, mode, bwrapAvailable } = opts;
+    const bwrap = opts.bwrapCommand ?? BWRAP_COMMAND;
+    if (mode === 'off') {
+        opts.onUnconfined?.('spawn sandbox is OFF -- the agent runs with the daemon user\'s full filesystem authority');
+        return { command, args: [...args] };
+    }
+    // mode === 'bwrap'
+    if (!bwrapAvailable) {
+        throw new SandboxUnavailableError(`sandbox.mode is "bwrap" but the "${bwrap}" executable was not found on the daemon host. ` +
+            'Install bubblewrap or set sandbox.mode="off" (unconfined) deliberately.');
+    }
+    const bwrapArgs = [
+        // Lifecycle / isolation: drop privileged namespaces, keep NET (the agent
+        // needs Telora/git/registry/model access). Die with the daemon; new session.
+        '--die-with-parent',
+        '--new-session',
+        '--unshare-user',
+        '--unshare-ipc',
+        '--unshare-pid',
+        '--unshare-uts',
+        '--unshare-cgroup',
+        // Minimal virtual filesystems.
+        '--proc', '/proc',
+        '--dev', '/dev',
+        '--tmpfs', '/tmp',
+        // System runtime + config, read-only. -try so a missing dir is skipped, not fatal.
+        '--ro-bind', '/usr', '/usr',
+        '--ro-bind-try', '/bin', '/bin',
+        '--ro-bind-try', '/sbin', '/sbin',
+        '--ro-bind-try', '/lib', '/lib',
+        '--ro-bind-try', '/lib64', '/lib64',
+        // /etc read-only: CA certs, resolv.conf, passwd. Does NOT expose any home dir.
+        '--ro-bind-try', '/etc', '/etc',
+    ];
+    // The worktree is the ONLY writable host tree.
+    bwrapArgs.push('--bind', policy.worktreePath, policy.worktreePath);
+    // Explicit read-only allowlist (toolchain + model-auth config). Anything not
+    // listed -- sibling repos, ~/.ssh, ~/.aws, other homes -- is simply not bound,
+    // so it is invisible inside the sandbox.
+    for (const p of policy.readOnlyPaths ?? []) {
+        if (p && p.trim())
+            bwrapArgs.push('--ro-bind-try', p, p);
+    }
+    bwrapArgs.push('--chdir', policy.worktreePath);
+    // Terminator, then the real command.
+    bwrapArgs.push('--', command, ...args);
+    return { command: bwrap, args: bwrapArgs };
+}
+/**
+ * High-level helper used by the spawn path: resolve mode from config, derive the
+ * read-only allowlist (toolchain + model-auth config), and build the wrapped
+ * command. Emits a health event on unconfined runs and refuses (throws) when an
+ * explicitly-required sandbox is unavailable.
+ */
+export function wrapSpawnCommand(config, spawn) {
+    const mode = resolveSandboxMode(config.sandbox);
+    const bwrapAvailable = isBwrapAvailable();
+    const readOnlyPaths = deriveReadOnlyPaths(config, spawn.command);
+    return buildSandboxCommand({
+        command: spawn.command,
+        args: spawn.args,
+        policy: { worktreePath: spawn.worktreePath, readOnlyPaths },
+        mode,
+        bwrapAvailable,
+        onUnconfined: (reason) => {
+            healthEvents.emit({
+                severity: 'warn',
+                source: 'spawn-sandbox',
+                code: 'sandbox.unconfined',
+                message: reason,
+            });
+        },
+    });
+}
+/**
+ * Derive the read-only host paths a spawn legitimately needs: the toolchain
+ * (the backend command's dir + the daemon's own node), the agent's model-auth
+ * config under HOME (~/.claude.json, ~/.claude, ~/.codex), and any extra paths
+ * configured. Kept narrow -- this is the allowlist that decides what the agent
+ * can read OUTSIDE its worktree. Exported for tests.
+ */
+export function deriveReadOnlyPaths(config, backendCommand) {
+    const paths = new Set();
+    const home = process.env.HOME;
+    // Model-auth config the agent needs (NOT ~/.ssh, NOT ~/.aws).
+    // ~/.gitconfig: read-only, safe to expose -- agents commit work under the
+    // daemon user's identity; without this git refuses to commit inside the sandbox.
+    if (home) {
+        paths.add(join(home, '.claude.json'));
+        paths.add(join(home, '.claude'));
+        paths.add(join(home, '.codex'));
+        paths.add(join(home, '.gitconfig'));
+    }
+    // Per-product isolated CODEX_HOME, when set.
+    if (config.codexHome)
+        paths.add(config.codexHome);
+    // The daemon's node executable (so the agent's tooling can re-exec node).
+    if (process.execPath)
+        paths.add(process.execPath);
+    // The backend command itself, when it is an absolute path outside /usr.
+    if (isAbsolute(backendCommand))
+        paths.add(backendCommand);
+    // Operator-configured extras.
+    for (const p of config.sandbox?.readOnlyPaths ?? [])
+        paths.add(p);
+    return [...paths];
+}
+//# sourceMappingURL=spawn-sandbox.js.map

package/dist/spawn-sandbox.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"spawn-sandbox.js","sourceRoot":"","sources":["../src/spawn-sandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAGnD,kFAAkF;AAClF,MAAM,OAAO,uBAAwB,SAAQ,KAAK;IAChD,YAAY,MAAc;QACxB,KAAK,CAAC,qEAAqE,MAAM,EAAE,CAAC,CAAC;QACrF,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;IACxC,CAAC;CACF;AAED,2EAA2E;AAC3E,MAAM,CAAC,MAAM,aAAa,GAAG,OAAO,CAAC;AAErC,sEAAsE;AACtE,MAAM,UAAU,aAAa,CAAC,OAAe,EAAE,MAAyB,OAAO,CAAC,GAAG;IACjF,IAAI,UAAU,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,UAAU,CAAC,OAAO,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;IAC/B,OAAO,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;AAC1F,CAAC;AAED,4CAA4C;AAC5C,MAAM,UAAU,gBAAgB,CAC9B,OAA4E,EAAE;IAE9E,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,IAAI,aAAa,CAAC;IAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,IAAI,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;IACvE,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;AACrB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAkC,EAClC,OAA4G,EAAE;IAE9G,IAAI,OAAO,EAAE,IAAI;QAAE,OAAO,OAAO,CAAC,IAAI,CAAC;IAEvC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;IACnD,IAAI,QAAQ,KAAK,OAAO;QAAE,OAAO,KAAK,CAAC;IAEvC,MAAM,SAAS,GAAG,IAAI,CAAC,cAAc,IAAI,gBAAgB,EAAE,CAAC;IAC5D,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,OAAO,GACX,kEAAkE;YAClE,+EAA+E;YAC/E,kFAAkF,CAAC;QACrF,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC3B,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,YAAY,CAAC,IAAI,CAAC;gBAChB,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,eAAe;gBACvB,IAAI,EAAE,6BAA6B;gBACnC,OAAO;aACR,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AA+BD;;;;;;;;;;GAUG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAsB;IACxD,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,IAAI,CAAC;IAC7D,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,IAAI,aAAa,CAAC;IAEjD,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACnB,IAAI,CAAC,YAAY,EAAE,CACjB,0FAA0F,CAC3F,CAAC;QACF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC;IACtC,CAAC;IAED,mBAAmB;IACnB,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,uBAAuB,CAC/B,oCAAoC,KAAK,iDAAiD;YACxF,yEAAyE,CAC5E,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAa;QAC1B,yEAAyE;QACzE,6EAA6E;QAC7E,mBAAmB;QACnB,eAAe;QACf,gBAAgB;QAChB,eAAe;QACf,eAAe;QACf,eAAe;QACf,kBAAkB;QAClB,+BAA+B;QAC/B,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,MAAM;QACf,SAAS,EAAE,MAAM;QACjB,mFAAmF;QACnF,WAAW,EAAE,MAAM,EAAE,MAAM;QAC3B,eAAe,EAAE,MAAM,EAAE,MAAM;QAC/B,eAAe,EAAE,OAAO,EAAE,OAAO;QACjC,eAAe,EAAE,MAAM,EAAE,MAAM;QAC/B,eAAe,EAAE,QAAQ,EAAE,QAAQ;QACnC,+EAA+E;QAC/E,eAAe,EAAE,MAAM,EAAE,MAAM;KAChC,CAAC;IAEF,+CAA+C;IAC/C,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IAEnE,6EAA6E;IAC7E,+EAA+E;IAC/E,yCAAyC;IACzC,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,aAAa,IAAI,EAAE,EAAE,CAAC;QAC3C,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE;YAAE,SAAS,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IAC/C,qCAAqC;IACrC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IAEvC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;AAC7C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAC9B,MAAoB,EACpB,KAAyE;IAEzE,MAAM,IAAI,GAAG,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAChD,MAAM,cAAc,GAAG,gBAAgB,EAAE,CAAC;IAE1C,MAAM,aAAa,GAAG,mBAAmB,CAAC,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;IAEjE,OAAO,mBAAmB,CAAC;QACzB,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,MAAM,EAAE,EAAE,YAAY,EAAE,KAAK,CAAC,YAAY,EAAE,aAAa,EAAE;QAC3D,IAAI;QACJ,cAAc;QACd,YAAY,EAAE,CAAC,MAAM,EAAE,EAAE;YACvB,YAAY,CAAC,IAAI,CAAC;gBAChB,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,eAAe;gBACvB,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,MAAM;aAChB,CAAC,CAAC;QACL,CAAC;KACF,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAoB,EAAE,cAAsB;IAC9E,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAChC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;IAE9B,8DAA8D;IAC9D,0EAA0E;IAC1E,iFAAiF;IACjF,IAAI,IAAI,EAAE,CAAC;QACT,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC,CAAC;QACtC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC;QACjC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC;QAChC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC,CAAC;IACtC,CAAC;IACD,6CAA6C;IAC7C,IAAI,MAAM,CAAC,SAAS;QAAE,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAElD,0EAA0E;IAC1E,IAAI,OAAO,CAAC,QAAQ;QAAE,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAElD,wEAAwE;IACxE,IAAI,UAAU,CAAC,cAAc,CAAC;QAAE,KAAK,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAE1D,8BAA8B;IAC9B,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,aAAa,IAAI,EAAE;QAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAElE,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC;AACpB,CAAC"}

package/dist/staleness.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"staleness.d.ts","sourceRoot":"","sources":["../src/staleness.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAIH,OAAO,EAKL,KAAK,UAAU,EAChB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAmC,KAAK,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAC9F,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAMpD,MAAM,WAAW,aAAa;IAC5B,6DAA6D;IAC7D,cAAc,EAAE,MAAM,CAAC;IACvB,0DAA0D;IAC1D,aAAa,EAAE,MAAM,CAAC;IACtB,qEAAqE;IACrE,eAAe,EAAE,OAAO,CAAC;IACzB,wDAAwD;IACxD,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,wEAAwE;IACxE,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,qDAAqD;AACrD,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,oEAAoE;AACpE,eAAO,MAAM,0BAA0B,QAAqB,CAAC;AAE7D,gEAAgE;AAChE,eAAO,MAAM,wBAAwB,6BAA6B,CAAC;AAEnE,wEAAwE;AACxE,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,UAAU,GAAG,IAAI,CAAC;IAClC,eAAe,EAAE,MAAM,OAAO,CAAC;IAC/B,SAAS,EAAE,MAAM,iBAAiB,GAAG,IAAI,CAAC;IAC1C,UAAU,EAAE,CAAC,KAAK,EAAE,iBAAiB,KAAK,IAAI,CAAC;IAC/C,eAAe,EAAE,CAAC,cAAc,EAAE,MAAM,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAChF,GAAG,EAAE,MAAM,MAAM,CAAC;CACnB;AAMD,wBAAgB,4BAA4B,IAAI,MAAM,CAErD;AAED;;;;;;;;GAQG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,GAAE,MAAM,MAAiB,GAAG,iBAAiB,GAAG,IAAI,CAO5F;AAiCD,2EAA2E;AAC3E,MAAM,WAAW,gBAAgB;IAC/B;;;;;OAKG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED;;;;;;;GAOG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,EAAE,aAAa,EACnB,IAAI,GAAE,gBAAqB,GAC1B,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAmC/B;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CAAC,IAAI,GAAE,gBAAqB,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAajG;AAMD,qFAAqF;AACrF,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,iBAAiB,GAAG,IAAI,CAAC;IAC1C,UAAU,EAAE,CAAC,KAAK,EAAE,iBAAiB,KAAK,IAAI,CAAC;IAC/C,eAAe,EAAE,CAAC,cAAc,EAAE,MAAM,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAChF,GAAG,EAAE,MAAM,MAAM,CAAC;CACnB;AAED;;;;;GAKG;AACH,wBAAsB,iCAAiC,CACrD,IAAI,EAAE,gBAAgB,EACtB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,OAAO,CAAC,CAelB;AAED,sFAAsF;AACtF,wBAAsB,6BAA6B,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAW5F;AAED,sFAAsF;AACtF,eAAO,MAAM,iCAAiC,QAAiB,CAAC;AAEhE;;;;;;;;GAQG;AACH,wBAAgB,4BAA4B,CAC1C,cAAc,EAAE,MAAM,EACtB,UAAU,GAAE,MAA0C,GACrD,MAAM,IAAI,CAaZ;AAMD;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,aAAa,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAShF"}
+{"version":3,"file":"staleness.d.ts","sourceRoot":"","sources":["../src/staleness.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAIH,OAAO,EAKL,KAAK,UAAU,EAChB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAmC,KAAK,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAC9F,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAMpD,MAAM,WAAW,aAAa;IAC5B,6DAA6D;IAC7D,cAAc,EAAE,MAAM,CAAC;IACvB,0DAA0D;IAC1D,aAAa,EAAE,MAAM,CAAC;IACtB,qEAAqE;IACrE,eAAe,EAAE,OAAO,CAAC;IACzB,wDAAwD;IACxD,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,wEAAwE;IACxE,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,qDAAqD;AACrD,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,oEAAoE;AACpE,eAAO,MAAM,0BAA0B,QAAqB,CAAC;AAE7D,gEAAgE;AAChE,eAAO,MAAM,wBAAwB,6BAA6B,CAAC;AAEnE,wEAAwE;AACxE,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,UAAU,GAAG,IAAI,CAAC;IAClC,eAAe,EAAE,MAAM,OAAO,CAAC;IAC/B,SAAS,EAAE,MAAM,iBAAiB,GAAG,IAAI,CAAC;IAC1C,UAAU,EAAE,CAAC,KAAK,EAAE,iBAAiB,KAAK,IAAI,CAAC;IAC/C,eAAe,EAAE,CAAC,cAAc,EAAE,MAAM,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAChF,GAAG,EAAE,MAAM,MAAM,CAAC;CACnB;AAMD,wBAAgB,4BAA4B,IAAI,MAAM,CAErD;AAED;;;;;;;;GAQG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,GAAE,MAAM,MAAiB,GAAG,iBAAiB,GAAG,IAAI,CAO5F;AAiCD,2EAA2E;AAC3E,MAAM,WAAW,gBAAgB;IAC/B;;;;;OAKG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED;;;;;;;GAOG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,EAAE,aAAa,EACnB,IAAI,GAAE,gBAAqB,GAC1B,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAmC/B;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CAAC,IAAI,GAAE,gBAAqB,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAajG;AAMD,qFAAqF;AACrF,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,iBAAiB,GAAG,IAAI,CAAC;IAC1C,UAAU,EAAE,CAAC,KAAK,EAAE,iBAAiB,KAAK,IAAI,CAAC;IAC/C,eAAe,EAAE,CAAC,cAAc,EAAE,MAAM,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAChF,GAAG,EAAE,MAAM,MAAM,CAAC;CACnB;AAED;;;;;GAKG;AACH,wBAAsB,iCAAiC,CACrD,IAAI,EAAE,gBAAgB,EACtB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,OAAO,CAAC,CA2BlB;AAED,sFAAsF;AACtF,wBAAsB,6BAA6B,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAW5F;AAED,sFAAsF;AACtF,eAAO,MAAM,iCAAiC,QAAiB,CAAC;AAEhE;;;;;;;;GAQG;AACH,wBAAgB,4BAA4B,CAC1C,cAAc,EAAE,MAAM,EACtB,UAAU,GAAE,MAA0C,GACrD,MAAM,IAAI,CAaZ;AAMD;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,aAAa,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAShF"}

package/dist/staleness.js

@@ -158,8 +158,19 @@ export async function maybeRefreshVersionCheckCacheCore(deps, currentVersion) {
     const cache = deps.readCache();
     if (cache) {
         const checkedAtMs = Date.parse(cache.checkedAt);
-        if (Number.isFinite(checkedAtMs) && deps.now() - checkedAtMs < VERSION_CHECK_CACHE_TTL_MS) {
-            return false; // Fresh -- nothing to do.
+        const withinTtl = Number.isFinite(checkedAtMs) && deps.now() - checkedAtMs < VERSION_CHECK_CACHE_TTL_MS;
+        // A cache entry whose latestVersion is at/below the running version carries
+        // zero actionable signal. After a self-update restart the running version can
+        // leapfrog the cached latest (e.g. running 0.17.53 > cached 0.17.48); the TTL
+        // would otherwise keep that semantically-dead entry authoritative for up to 6h,
+        // blinding the daemon to every subsequently-published release. Force a refresh
+        // in the leapfrog case regardless of cache age -- the startup prime tick then
+        // self-heals the cache on the next boot. The equal case (latest == running, the
+        // up-to-date steady state) still honors the TTL, so registry traffic does not
+        // increase for daemons that are already current.
+        const leapfrogged = isNewerVersion(currentVersion, cache.latestVersion);
+        if (withinTtl && !leapfrogged) {
+            return false; // Fresh and actionable -- nothing to do.
         }
     }
     const result = await deps.checkForUpdates(currentVersion);

package/dist/staleness.js.map

@@ -1 +1 @@
-{"version":3,"file":"staleness.js","sourceRoot":"","sources":["../src/staleness.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EACL,oBAAoB,EACpB,eAAe,EACf,cAAc,EACd,qBAAqB,GAEtB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,cAAc,EAA2B,MAAM,oBAAoB,CAAC;AA0B9F,oEAAoE;AACpE,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAE7D,gEAAgE;AAChE,MAAM,CAAC,MAAM,wBAAwB,GAAG,0BAA0B,CAAC;AAYnE,8EAA8E;AAC9E,oCAAoC;AACpC,8EAA8E;AAE9E,MAAM,UAAU,4BAA4B;IAC1C,OAAO,IAAI,CAAC,qBAAqB,EAAE,EAAE,wBAAwB,CAAC,CAAC;AACjE,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAoB,IAAI,CAAC,GAAG;IAChE,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAC9B,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAChD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,IAAI,GAAG,EAAE,GAAG,WAAW,IAAI,0BAA0B;QAAE,OAAO,IAAI,CAAC;IACnE,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa;IACpB,MAAM,IAAI,GAAG,4BAA4B,EAAE,CAAC;IAC5C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAA+B,CAAC;QACrF,IAAI,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,IAAI,OAAO,MAAM,CAAC,aAAa,KAAK,QAAQ,EAAE,CAAC;YACrF,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,aAAa,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC;IAC9E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,KAAwB;IAC9C,IAAI,CAAC;QACH,oBAAoB,EAAE,CAAC;QACvB,aAAa,CACX,4BAA4B,EAAE,EAC9B,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EACrC,EAAE,IAAI,EAAE,KAAK,EAAE,CAChB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,wEAAwE;IAC1E,CAAC;AACH,CAAC;AAiBD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,IAAmB,EACnB,OAAyB,EAAE;IAE3B,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACxF,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;QAAE,OAAO,IAAI,CAAC;IAEzC,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC;IAEpC,4EAA4E;IAC5E,IAAI,aAAa,GAAkB,IAAI,CAAC;IACxC,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;IAC/B,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAChD,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,GAAG,0BAA0B,EAAE,CAAC;YAC1F,aAAa,GAAG,KAAK,CAAC,aAAa,CAAC;QACtC,CAAC;IACH,CAAC;IAED,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;QAC3B,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC,CAAC,mDAAmD;QACpF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;QAC1D,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC,CAAC,2DAA2D;QACrF,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC;QACrC,IAAI,CAAC,UAAU,CAAC;YACd,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE;YAC7C,aAAa;SACd,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,cAAc;QACd,aAAa;QACb,eAAe,EAAE,cAAc,CAAC,aAAa,EAAE,cAAc,CAAC;QAC9D,GAAG,CAAC,IAAI,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5E,GAAG,CAAC,IAAI,CAAC,iBAAiB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,iBAAiB,EAAE,IAAI,CAAC,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC/F,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,OAAyB,EAAE;IAChE,IAAI,CAAC;QACH,OAAO,MAAM,oBAAoB,CAAC;YAChC,QAAQ,EAAE,cAAc;YACxB,eAAe,EAAE,GAAG,EAAE,CAAC,eAAe,EAAE,CAAC,OAAO;YAChD,SAAS,EAAE,aAAa;YACxB,UAAU,EAAE,cAAc;YAC1B,eAAe;YACf,GAAG,EAAE,IAAI,CAAC,GAAG;SACd,EAAE,IAAI,CAAC,CAAC;IACX,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAcD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,iCAAiC,CACrD,IAAsB,EACtB,cAAsB;IAEtB,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;IAC/B,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAChD,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,GAAG,0BAA0B,EAAE,CAAC;YAC1F,OAAO,KAAK,CAAC,CAAC,0BAA0B;QAC1C,CAAC;IACH,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;IAC1D,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,IAAI,CAAC,UAAU,CAAC;QACd,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE;QAC7C,aAAa,EAAE,MAAM,CAAC,aAAa;KACpC,CAAC,CAAC;IACH,OAAO,IAAI,CAAC;AACd,CAAC;AAED,sFAAsF;AACtF,MAAM,CAAC,KAAK,UAAU,6BAA6B,CAAC,cAAsB;IACxE,IAAI,CAAC;QACH,OAAO,MAAM,iCAAiC,CAAC;YAC7C,SAAS,EAAE,aAAa;YACxB,UAAU,EAAE,cAAc;YAC1B,eAAe;YACf,GAAG,EAAE,IAAI,CAAC,GAAG;SACd,EAAE,cAAc,CAAC,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,sFAAsF;AACtF,MAAM,CAAC,MAAM,iCAAiC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAEhE;;;;;;;;GAQG;AACH,MAAM,UAAU,4BAA4B,CAC1C,cAAsB,EACtB,aAAqB,iCAAiC;IAEtD,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,MAAM,IAAI,GAAG,GAAS,EAAE;QACtB,IAAI,OAAO;YAAE,OAAO;QACpB,KAAK,6BAA6B,CAAC,cAAc,CAAC,CAAC;IACrD,CAAC,CAAC;IACF,IAAI,EAAE,CAAC,CAAC,mEAAmE;IAC3E,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IAC5C,KAAK,CAAC,KAAK,EAAE,CAAC;IACd,OAAO,GAAG,EAAE;QACV,OAAO,GAAG,IAAI,CAAC;QACf,aAAa,CAAC,KAAK,CAAC,CAAC;IACvB,CAAC,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,6DAA6D;AAC7D,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CAAC,IAA0B;IAC/D,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,eAAe;QAAE,OAAO,IAAI,CAAC;IAChD,IAAI,IAAI,GAAG,sBAAsB,IAAI,CAAC,cAAc,cAAc,IAAI,CAAC,aAAa,aAAa,CAAC;IAClG,IAAI,IAAI,CAAC,WAAW,KAAK,KAAK,IAAI,IAAI,CAAC,iBAAiB,KAAK,KAAK,EAAE,CAAC;QACnE,IAAI;YACF,4GAA4G;gBAC5G,oFAAoF,CAAC;IACzF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}
+{"version":3,"file":"staleness.js","sourceRoot":"","sources":["../src/staleness.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EACL,oBAAoB,EACpB,eAAe,EACf,cAAc,EACd,qBAAqB,GAEtB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,cAAc,EAA2B,MAAM,oBAAoB,CAAC;AA0B9F,oEAAoE;AACpE,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAE7D,gEAAgE;AAChE,MAAM,CAAC,MAAM,wBAAwB,GAAG,0BAA0B,CAAC;AAYnE,8EAA8E;AAC9E,oCAAoC;AACpC,8EAA8E;AAE9E,MAAM,UAAU,4BAA4B;IAC1C,OAAO,IAAI,CAAC,qBAAqB,EAAE,EAAE,wBAAwB,CAAC,CAAC;AACjE,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAoB,IAAI,CAAC,GAAG;IAChE,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAC9B,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAChD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,IAAI,GAAG,EAAE,GAAG,WAAW,IAAI,0BAA0B;QAAE,OAAO,IAAI,CAAC;IACnE,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa;IACpB,MAAM,IAAI,GAAG,4BAA4B,EAAE,CAAC;IAC5C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAA+B,CAAC;QACrF,IAAI,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,IAAI,OAAO,MAAM,CAAC,aAAa,KAAK,QAAQ,EAAE,CAAC;YACrF,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,aAAa,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC;IAC9E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,KAAwB;IAC9C,IAAI,CAAC;QACH,oBAAoB,EAAE,CAAC;QACvB,aAAa,CACX,4BAA4B,EAAE,EAC9B,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EACrC,EAAE,IAAI,EAAE,KAAK,EAAE,CAChB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,wEAAwE;IAC1E,CAAC;AACH,CAAC;AAiBD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,IAAmB,EACnB,OAAyB,EAAE;IAE3B,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACxF,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;QAAE,OAAO,IAAI,CAAC;IAEzC,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC;IAEpC,4EAA4E;IAC5E,IAAI,aAAa,GAAkB,IAAI,CAAC;IACxC,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;IAC/B,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAChD,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,GAAG,0BAA0B,EAAE,CAAC;YAC1F,aAAa,GAAG,KAAK,CAAC,aAAa,CAAC;QACtC,CAAC;IACH,CAAC;IAED,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;QAC3B,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC,CAAC,mDAAmD;QACpF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;QAC1D,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC,CAAC,2DAA2D;QACrF,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC;QACrC,IAAI,CAAC,UAAU,CAAC;YACd,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE;YAC7C,aAAa;SACd,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,cAAc;QACd,aAAa;QACb,eAAe,EAAE,cAAc,CAAC,aAAa,EAAE,cAAc,CAAC;QAC9D,GAAG,CAAC,IAAI,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5E,GAAG,CAAC,IAAI,CAAC,iBAAiB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,iBAAiB,EAAE,IAAI,CAAC,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC/F,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,OAAyB,EAAE;IAChE,IAAI,CAAC;QACH,OAAO,MAAM,oBAAoB,CAAC;YAChC,QAAQ,EAAE,cAAc;YACxB,eAAe,EAAE,GAAG,EAAE,CAAC,eAAe,EAAE,CAAC,OAAO;YAChD,SAAS,EAAE,aAAa;YACxB,UAAU,EAAE,cAAc;YAC1B,eAAe;YACf,GAAG,EAAE,IAAI,CAAC,GAAG;SACd,EAAE,IAAI,CAAC,CAAC;IACX,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAcD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,iCAAiC,CACrD,IAAsB,EACtB,cAAsB;IAEtB,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;IAC/B,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAChD,MAAM,SAAS,GACb,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,GAAG,0BAA0B,CAAC;QACxF,4EAA4E;QAC5E,8EAA8E;QAC9E,8EAA8E;QAC9E,gFAAgF;QAChF,+EAA+E;QAC/E,8EAA8E;QAC9E,gFAAgF;QAChF,8EAA8E;QAC9E,iDAAiD;QACjD,MAAM,WAAW,GAAG,cAAc,CAAC,cAAc,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;QACxE,IAAI,SAAS,IAAI,CAAC,WAAW,EAAE,CAAC;YAC9B,OAAO,KAAK,CAAC,CAAC,yCAAyC;QACzD,CAAC;IACH,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;IAC1D,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,IAAI,CAAC,UAAU,CAAC;QACd,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE;QAC7C,aAAa,EAAE,MAAM,CAAC,aAAa;KACpC,CAAC,CAAC;IACH,OAAO,IAAI,CAAC;AACd,CAAC;AAED,sFAAsF;AACtF,MAAM,CAAC,KAAK,UAAU,6BAA6B,CAAC,cAAsB;IACxE,IAAI,CAAC;QACH,OAAO,MAAM,iCAAiC,CAAC;YAC7C,SAAS,EAAE,aAAa;YACxB,UAAU,EAAE,cAAc;YAC1B,eAAe;YACf,GAAG,EAAE,IAAI,CAAC,GAAG;SACd,EAAE,cAAc,CAAC,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,sFAAsF;AACtF,MAAM,CAAC,MAAM,iCAAiC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAEhE;;;;;;;;GAQG;AACH,MAAM,UAAU,4BAA4B,CAC1C,cAAsB,EACtB,aAAqB,iCAAiC;IAEtD,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,MAAM,IAAI,GAAG,GAAS,EAAE;QACtB,IAAI,OAAO;YAAE,OAAO;QACpB,KAAK,6BAA6B,CAAC,cAAc,CAAC,CAAC;IACrD,CAAC,CAAC;IACF,IAAI,EAAE,CAAC,CAAC,mEAAmE;IAC3E,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IAC5C,KAAK,CAAC,KAAK,EAAE,CAAC;IACd,OAAO,GAAG,EAAE;QACV,OAAO,GAAG,IAAI,CAAC;QACf,aAAa,CAAC,KAAK,CAAC,CAAC;IACvB,CAAC,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,6DAA6D;AAC7D,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CAAC,IAA0B;IAC/D,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,eAAe;QAAE,OAAO,IAAI,CAAC;IAChD,IAAI,IAAI,GAAG,sBAAsB,IAAI,CAAC,cAAc,cAAc,IAAI,CAAC,aAAa,aAAa,CAAC;IAClG,IAAI,IAAI,CAAC,WAAW,KAAK,KAAK,IAAI,IAAI,CAAC,iBAAiB,KAAK,KAAK,EAAE,CAAC;QACnE,IAAI;YACF,4GAA4G;gBAC5G,oFAAoF,CAAC;IACzF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/supabase.d.ts

@@ -14,7 +14,7 @@ export type { CreateSessionParams, SessionAggregates } from './queries/sessions.
 export { getReadyDeliveries, getDeliveryContext, updateDeliveryStatus, recordDeliveryTransition, markDeliveryAutoApproved, updateDeliveryMergeCommitSha, getDoneDeliveries, getReadyFocuses, getActiveFocuses, getMergeConflictDeliveries, reportGitState, recordFocusMerge, } from './queries/deliveries.js';
 export type { TransitionRecord } from './queries/deliveries.js';
 export { fetchEffectiveWorkflow, fetchEffectiveWorkflowWithTransitions } from './queries/workflows.js';
-export { getDeliveryIssues, getDeliverySessionCount, updateIssueStatus, createEscalation, createIssue, } from './queries/issues.js';
+export { getDeliveryIssues, getDeliverySessionCount, updateIssueStatus, createEscalation, hasOpenEscalationForDelivery, createIssue, } from './queries/issues.js';
 export type { CreateEscalationParams } from './queries/issues.js';
 export { fetchTransitionGuards, createTransitionEvaluation, createTransitionBlock, getActiveTransitionBlock, getResolvedTransitionBlockForDelivery, } from './queries/guards.js';
 export { sendHeartbeat, sendDisconnect, claimProduct } from './queries/daemon-connection.js';

package/dist/supabase.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"supabase.d.ts","sourceRoot":"","sources":["../src/supabase.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAGxE,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAGjE,OAAO,EACL,iBAAiB,EACjB,2BAA2B,EAC3B,6BAA6B,EAC7B,aAAa,EACb,aAAa,GACd,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAGpF,OAAO,EACL,kBAAkB,EAClB,kBAAkB,EAClB,oBAAoB,EACpB,wBAAwB,EACxB,wBAAwB,EACxB,4BAA4B,EAC5B,iBAAiB,EACjB,eAAe,EACf,gBAAgB,EAChB,0BAA0B,EAC1B,cAAc,EACd,gBAAgB,GACjB,MAAM,yBAAyB,CAAC;AACjC,YAAY,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAGhE,OAAO,EAAE,sBAAsB,EAAE,qCAAqC,EAAE,MAAM,wBAAwB,CAAC;AAGvG,OAAO,EACL,iBAAiB,EACjB,uBAAuB,EACvB,iBAAiB,EACjB,gBAAgB,EAChB,WAAW,GACZ,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAGlE,OAAO,EACL,qBAAqB,EACrB,0BAA0B,EAC1B,qBAAqB,EACrB,wBAAwB,EACxB,qCAAqC,GACtC,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,gCAAgC,CAAC;AAG7F,OAAO,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAG/D,OAAO,EACL,kBAAkB,EAClB,cAAc,EACd,yBAAyB,EACzB,kBAAkB,EAClB,iCAAiC,GAClC,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,0BAA0B,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAG/F,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;AAChC,YAAY,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAG7D,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,4BAA4B,CAAC;AACpC,YAAY,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAGrE,OAAO,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAC/D,YAAY,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAIrF;;GAEG;AACH,wBAAsB,sBAAsB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC,CAGtF;AAED;;GAEG;AACH,wBAAgB,WAAW,IAAI,KAAK,CAEnC"}
+{"version":3,"file":"supabase.d.ts","sourceRoot":"","sources":["../src/supabase.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAGxE,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAGjE,OAAO,EACL,iBAAiB,EACjB,2BAA2B,EAC3B,6BAA6B,EAC7B,aAAa,EACb,aAAa,GACd,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAGpF,OAAO,EACL,kBAAkB,EAClB,kBAAkB,EAClB,oBAAoB,EACpB,wBAAwB,EACxB,wBAAwB,EACxB,4BAA4B,EAC5B,iBAAiB,EACjB,eAAe,EACf,gBAAgB,EAChB,0BAA0B,EAC1B,cAAc,EACd,gBAAgB,GACjB,MAAM,yBAAyB,CAAC;AACjC,YAAY,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAGhE,OAAO,EAAE,sBAAsB,EAAE,qCAAqC,EAAE,MAAM,wBAAwB,CAAC;AAGvG,OAAO,EACL,iBAAiB,EACjB,uBAAuB,EACvB,iBAAiB,EACjB,gBAAgB,EAChB,4BAA4B,EAC5B,WAAW,GACZ,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAGlE,OAAO,EACL,qBAAqB,EACrB,0BAA0B,EAC1B,qBAAqB,EACrB,wBAAwB,EACxB,qCAAqC,GACtC,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,gCAAgC,CAAC;AAG7F,OAAO,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAG/D,OAAO,EACL,kBAAkB,EAClB,cAAc,EACd,yBAAyB,EACzB,kBAAkB,EAClB,iCAAiC,GAClC,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,0BAA0B,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAG/F,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;AAChC,YAAY,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAG7D,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,4BAA4B,CAAC;AACpC,YAAY,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAGrE,OAAO,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAC/D,YAAY,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAIrF;;GAEG;AACH,wBAAsB,sBAAsB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC,CAGtF;AAED;;GAEG;AACH,wBAAgB,WAAW,IAAI,KAAK,CAEnC"}

package/dist/supabase.js

@@ -18,7 +18,7 @@ export { getReadyDeliveries, getDeliveryContext, updateDeliveryStatus, recordDel
 // -- Workflows --
 export { fetchEffectiveWorkflow, fetchEffectiveWorkflowWithTransitions } from './queries/workflows.js';
 // -- Issues & Escalations --
-export { getDeliveryIssues, getDeliverySessionCount, updateIssueStatus, createEscalation, createIssue, } from './queries/issues.js';
+export { getDeliveryIssues, getDeliverySessionCount, updateIssueStatus, createEscalation, hasOpenEscalationForDelivery, createIssue, } from './queries/issues.js';
 // -- Guards (Workflow System) --
 export { fetchTransitionGuards, createTransitionEvaluation, createTransitionBlock, getActiveTransitionBlock, getResolvedTransitionBlockForDelivery, } from './queries/guards.js';
 // -- Daemon Connection --

package/dist/supabase.js.map

@@ -1 +1 @@
-{"version":3,"file":"supabase.js","sourceRoot":"","sources":["../src/supabase.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,mCAAmC;AACnC,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAExE,oBAAoB;AACpB,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAEjE,uBAAuB;AACvB,OAAO,EACL,iBAAiB,EACjB,2BAA2B,EAC3B,6BAA6B,EAC7B,aAAa,EACb,aAAa,GACd,MAAM,uBAAuB,CAAC;AAG/B,6BAA6B;AAC7B,OAAO,EACL,kBAAkB,EAClB,kBAAkB,EAClB,oBAAoB,EACpB,wBAAwB,EACxB,wBAAwB,EACxB,4BAA4B,EAC5B,iBAAiB,EACjB,eAAe,EACf,gBAAgB,EAChB,0BAA0B,EAC1B,cAAc,EACd,gBAAgB,GACjB,MAAM,yBAAyB,CAAC;AAGjC,kBAAkB;AAClB,OAAO,EAAE,sBAAsB,EAAE,qCAAqC,EAAE,MAAM,wBAAwB,CAAC;AAEvG,6BAA6B;AAC7B,OAAO,EACL,iBAAiB,EACjB,uBAAuB,EACvB,iBAAiB,EACjB,gBAAgB,EAChB,WAAW,GACZ,MAAM,qBAAqB,CAAC;AAG7B,iCAAiC;AACjC,OAAO,EACL,qBAAqB,EACrB,0BAA0B,EAC1B,qBAAqB,EACrB,wBAAwB,EACxB,qCAAqC,GACtC,MAAM,qBAAqB,CAAC;AAE7B,0BAA0B;AAC1B,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,gCAAgC,CAAC;AAE7F,4BAA4B;AAC5B,OAAO,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAE/D,uCAAuC;AACvC,OAAO,EACL,kBAAkB,EAClB,cAAc,EACd,yBAAyB,EACzB,kBAAkB,EAClB,iCAAiC,GAClC,MAAM,sBAAsB,CAAC;AAG9B,uBAAuB;AACvB,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;AAGhC,sBAAsB;AACtB,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,4BAA4B,CAAC;AAGpC,iBAAiB;AACjB,OAAO,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAG/D,8CAA8C;AAE9C;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,eAAuB;IAClE,OAAO,CAAC,IAAI,CAAC,8EAA8E,CAAC,CAAC;IAC7F,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW;IACzB,MAAM,IAAI,KAAK,CAAC,uEAAuE,CAAC,CAAC;AAC3F,CAAC"}
+{"version":3,"file":"supabase.js","sourceRoot":"","sources":["../src/supabase.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,mCAAmC;AACnC,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAExE,oBAAoB;AACpB,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAEjE,uBAAuB;AACvB,OAAO,EACL,iBAAiB,EACjB,2BAA2B,EAC3B,6BAA6B,EAC7B,aAAa,EACb,aAAa,GACd,MAAM,uBAAuB,CAAC;AAG/B,6BAA6B;AAC7B,OAAO,EACL,kBAAkB,EAClB,kBAAkB,EAClB,oBAAoB,EACpB,wBAAwB,EACxB,wBAAwB,EACxB,4BAA4B,EAC5B,iBAAiB,EACjB,eAAe,EACf,gBAAgB,EAChB,0BAA0B,EAC1B,cAAc,EACd,gBAAgB,GACjB,MAAM,yBAAyB,CAAC;AAGjC,kBAAkB;AAClB,OAAO,EAAE,sBAAsB,EAAE,qCAAqC,EAAE,MAAM,wBAAwB,CAAC;AAEvG,6BAA6B;AAC7B,OAAO,EACL,iBAAiB,EACjB,uBAAuB,EACvB,iBAAiB,EACjB,gBAAgB,EAChB,4BAA4B,EAC5B,WAAW,GACZ,MAAM,qBAAqB,CAAC;AAG7B,iCAAiC;AACjC,OAAO,EACL,qBAAqB,EACrB,0BAA0B,EAC1B,qBAAqB,EACrB,wBAAwB,EACxB,qCAAqC,GACtC,MAAM,qBAAqB,CAAC;AAE7B,0BAA0B;AAC1B,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,gCAAgC,CAAC;AAE7F,4BAA4B;AAC5B,OAAO,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAE/D,uCAAuC;AACvC,OAAO,EACL,kBAAkB,EAClB,cAAc,EACd,yBAAyB,EACzB,kBAAkB,EAClB,iCAAiC,GAClC,MAAM,sBAAsB,CAAC;AAG9B,uBAAuB;AACvB,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;AAGhC,sBAAsB;AACtB,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,4BAA4B,CAAC;AAGpC,iBAAiB;AACjB,OAAO,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAG/D,8CAA8C;AAE9C;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,eAAuB;IAClE,OAAO,CAAC,IAAI,CAAC,8EAA8E,CAAC,CAAC;IAC7F,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW;IACzB,MAAM,IAAI,KAAK,CAAC,uEAAuE,CAAC,CAAC;AAC3F,CAAC"}

package/dist/types/config.d.ts

@@ -21,12 +21,52 @@ export interface TelemetryConfig {
     /** Number of days to retain telemetry events. Default: 30. */
     retentionDays: number;
 }
+/**
+ * OS sandbox mode for spawned agents.
+ * - 'bwrap': confine each spawn with bubblewrap (Linux). If bwrap cannot
+ *   initialize, the spawn is REFUSED (fail-closed) -- never run unconfined.
+ * - 'off':   no OS sandbox; the spawn runs with the daemon user's authority
+ *            (the worktree bounds only the git branch, not the filesystem).
+ */
+export type SandboxMode = 'bwrap' | 'off';
+/**
+ * Configuration for the spawn OS sandbox (D3 -- "make the worktree boundary true").
+ *
+ * Default resolution when `mode` is unset: macOS (dev) => 'off'; Linux => 'off'
+ * by default too, but the daemon logs a recommendation to enable 'bwrap' when
+ * bubblewrap is available. Defaulting to 'off' is deliberate -- auto-enabling a
+ * sandbox whose per-host read-bind set has not been validated could break real
+ * spawns; operators opt in to 'bwrap' after the per-host validation in
+ * docs/runbook-daemon-service-user.md. An EXPLICIT 'bwrap' is fail-closed: if
+ * bubblewrap is unavailable the spawn is refused, never silently unconfined.
+ */
+export interface SandboxConfig {
+    /** Sandbox mode. Unset => platform default (see above). */
+    mode?: SandboxMode;
+    /**
+     * Extra host paths to expose read-only inside the sandbox -- the toolchain
+     * (node/claude/codex bin dirs) and the agent's model-auth config the spawn
+     * legitimately needs (e.g. ~/.claude.json, ~/.codex). The worktree itself is
+     * always bound read-write; everything not listed is invisible.
+     */
+    readOnlyPaths?: string[];
+    /**
+     * Outbound egress allowlist (hostnames). NOTE: bubblewrap does NOT enforce
+     * L3/L7 egress, so this is currently advisory and documented as a residual
+     * gap in docs/security-posture-daemon-execution.md (candidate enforcement:
+     * per-uid nftables rules at the service-user layer). Filesystem confinement
+     * + capability/namespace isolation are the enforced boundary today.
+     */
+    egressAllowlist?: string[];
+}
 /**
  * Configuration for the daemon.
  *
  * Extends BaseConfig from @telora/daemon-core with daemon-specific fields.
  */
 export interface DaemonConfig extends BaseConfig {
+    /** OS sandbox for spawned agents (D3). Undefined => platform default. */
+    sandbox?: SandboxConfig;
     /** Path/command for the Codex CLI executable. Default: 'codex' (on PATH). */
     codexPath?: string;
     worktreeDir: string;

package/dist/types/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/types/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEtD;;;;GAIG;AACH,MAAM,MAAM,iBAAiB,GAAG,WAAW,GAAG,aAAa,CAAC;AAE5D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,6DAA6D;IAC7D,OAAO,EAAE,OAAO,CAAC;IACjB,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,uEAAuE;IACvE,eAAe,EAAE,MAAM,CAAC;IACxB,8DAA8D;IAC9D,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;;;GAIG;AACH,MAAM,WAAW,YAAa,SAAQ,UAAU;IAC9C,6EAA6E;IAC7E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,2EAA2E;IAC3E,kBAAkB,EAAE,MAAM,CAAC;IAC3B,4FAA4F;IAC5F,4BAA4B,EAAE,MAAM,CAAC;IACrC,gFAAgF;IAChF,iBAAiB,EAAE,iBAAiB,CAAC;IACrC,iDAAiD;IACjD,aAAa,EAAE,MAAM,CAAC;IACtB,qEAAqE;IACrE,gBAAgB,EAAE,MAAM,CAAC;IACzB,6CAA6C;IAC7C,WAAW,EAAE,MAAM,CAAC;IACpB,6CAA6C;IAC7C,SAAS,EAAE,eAAe,CAAC;IAC3B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/types/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEtD;;;;GAIG;AACH,MAAM,MAAM,iBAAiB,GAAG,WAAW,GAAG,aAAa,CAAC;AAE5D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,6DAA6D;IAC7D,OAAO,EAAE,OAAO,CAAC;IACjB,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,uEAAuE;IACvE,eAAe,EAAE,MAAM,CAAC;IACxB,8DAA8D;IAC9D,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,MAAM,MAAM,WAAW,GAAG,OAAO,GAAG,KAAK,CAAC;AAE1C;;;;;;;;;;GAUG;AACH,MAAM,WAAW,aAAa;IAC5B,2DAA2D;IAC3D,IAAI,CAAC,EAAE,WAAW,CAAC;IACnB;;;;;OAKG;IACH,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB;;;;;;OAMG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED;;;;GAIG;AACH,MAAM,WAAW,YAAa,SAAQ,UAAU;IAC9C,yEAAyE;IACzE,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,6EAA6E;IAC7E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,2EAA2E;IAC3E,kBAAkB,EAAE,MAAM,CAAC;IAC3B,4FAA4F;IAC5F,4BAA4B,EAAE,MAAM,CAAC;IACrC,gFAAgF;IAChF,iBAAiB,EAAE,iBAAiB,CAAC;IACrC,iDAAiD;IACjD,aAAa,EAAE,MAAM,CAAC;IACtB,qEAAqE;IACrE,gBAAgB,EAAE,MAAM,CAAC;IACzB,6CAA6C;IAC7C,WAAW,EAAE,MAAM,CAAC;IACpB,6CAA6C;IAC7C,SAAS,EAAE,eAAe,CAAC;IAC3B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@telora/daemon",
-  "version": "0.17.53",
+  "version": "0.17.59",
   "description": "Agent orchestration daemon for Telora - spawns and manages Claude Code instances",
   "type": "module",
   "bin": {
@@ -36,7 +36,7 @@
   },
   "//testRunner": "Uses Node.js built-in test runner (node:test) via tsx for TypeScript support. The root package uses Vitest; this is a deliberate choice for the daemon package to avoid framework dependencies. See src/__tests__/ for test files.",
   "dependencies": {
-    "@telora/daemon-core": "^0.2.37",
+    "@telora/daemon-core": "^0.2.38",
     "@telora/mcp-products": "^0.22.57",
     "commander": "^14.0.3",
     "yaml": "^2.4.0",