@triflux/core 10.37.0 → 10.38.0

package/hooks/agy-session-hook.mjs

@@ -30,12 +30,18 @@ function parsePayload(stdinData) {
   }
 }
 
-// Antigravity hook payloads use camelCase system metadata (conversationId,
-// workspacePaths) rather than Codex's session_id/cwd. registerInteractiveSession
-// and heartbeatInteractiveSession parse the Codex shape, so we adapt the agy
-// payload into that shape before delegating. conversationId is the stable
-// per-conversation UUID (== session identity); the first mounted workspace path
-// is the effective cwd.
+/**
+ * Convert an Antigravity hook payload into the Codex-shaped session payload
+ * consumed by the shared fast session registration helpers.
+ *
+ * Antigravity hook payloads use camelCase system metadata (`conversationId`,
+ * `workspacePaths`) rather than Codex's `session_id`/`cwd`. The
+ * `conversationId` is the stable per-conversation UUID; the first mounted
+ * workspace path is the effective cwd.
+ *
+ * @param {Record<string, unknown> | null | undefined} payload
+ * @returns {string} JSON string with `{ session_id, cwd, actor_cli }`.
+ */
 export function toSessionPayload(payload) {
   const sessionId = String(payload?.conversationId || "").trim();
   const workspacePaths = Array.isArray(payload?.workspacePaths)
@@ -48,10 +54,18 @@ export function toSessionPayload(payload) {
   return JSON.stringify({ session_id: sessionId, cwd, actor_cli: "agy" });
 }
 
-// agy has no distinct SessionStart / UserPromptSubmit events. PreInvocation
-// fires before every model call, so the per-conversation invocationNum gates
-// register (first call == session start) vs heartbeat (subsequent calls).
-// An explicit argv mode (register|heartbeat) overrides, mirroring the codex hook.
+/**
+ * Decide whether a PreInvocation payload should register or heartbeat.
+ *
+ * agy has no distinct SessionStart/UserPromptSubmit events. PreInvocation fires
+ * before every model call, so per-conversation `invocationNum` gates register
+ * (first call) vs heartbeat (later calls). An explicit argv mode overrides this,
+ * mirroring the Codex hook.
+ *
+ * @param {string | null | undefined} argvMode
+ * @param {Record<string, unknown> | null | undefined} payload
+ * @returns {"register" | "heartbeat"}
+ */
 export function normalizeMode(argvMode, payload) {
   const direct = String(argvMode || "")
     .trim()
@@ -67,6 +81,50 @@ export function normalizeMode(argvMode, payload) {
   return "register";
 }
 
+function swallowStdoutWrite(_chunk, encodingOrCallback, callback) {
+  const done =
+    typeof encodingOrCallback === "function" ? encodingOrCallback : callback;
+  if (typeof done === "function") done();
+  return true;
+}
+
+async function runHookSideEffectsWithStdoutSuppressed(fn) {
+  const originalStdoutWrite = stdout.write;
+  const originalConsoleDebug = console.debug;
+  const originalConsoleInfo = console.info;
+  const originalConsoleLog = console.log;
+
+  stdout.write = swallowStdoutWrite;
+  console.debug = () => {};
+  console.info = () => {};
+  console.log = () => {};
+  try {
+    return await fn();
+  } finally {
+    stdout.write = originalStdoutWrite;
+    console.debug = originalConsoleDebug;
+    console.info = originalConsoleInfo;
+    console.log = originalConsoleLog;
+  }
+}
+
+/**
+ * Execute the observational Antigravity session hook.
+ *
+ * The hook always returns/writes an empty JSON object so hook stdout remains
+ * JSON-only and hook failures never block the user session.
+ *
+ * @param {string} stdinData
+ * @param {{
+ *   argvMode?: string,
+ *   writeStdout?: boolean,
+ *   hubEnsureRun?: (stdinData: string) => Promise<unknown> | unknown,
+ *   registerInteractiveSession?: (stdinData: string) => Promise<unknown> | unknown,
+ *   heartbeatInteractiveSession?: (stdinData: string) => Promise<unknown> | unknown,
+ *   drainPendingSynapse?: (timeoutMs?: number) => Promise<unknown> | unknown,
+ * }} [opts]
+ * @returns {Promise<string>}
+ */
 export async function runAgySessionHook(stdinData, opts = {}) {
   const output = "{}\n";
   const parsed = parsePayload(stdinData);
@@ -93,24 +151,26 @@ export async function runAgySessionHook(stdinData, opts = {}) {
     opts.drainPendingSynapse || defaultDrainPendingSynapse;
 
   try {
-    if (mode === "register") {
-      try {
-        await hubEnsureRun(sessionPayload);
-      } catch {}
-      try {
-        await Promise.resolve(registerInteractiveSession(sessionPayload));
-      } catch {}
-      try {
-        await drainPendingSynapse(1000);
-      } catch {}
-    } else if (mode === "heartbeat") {
-      try {
-        heartbeatInteractiveSession(sessionPayload);
-      } catch {}
-      try {
-        await drainPendingSynapse(500);
-      } catch {}
-    }
+    await runHookSideEffectsWithStdoutSuppressed(async () => {
+      if (mode === "register") {
+        try {
+          await hubEnsureRun(sessionPayload);
+        } catch {}
+        try {
+          await Promise.resolve(registerInteractiveSession(sessionPayload));
+        } catch {}
+        try {
+          await drainPendingSynapse(1000);
+        } catch {}
+      } else if (mode === "heartbeat") {
+        try {
+          heartbeatInteractiveSession(sessionPayload);
+        } catch {}
+        try {
+          await drainPendingSynapse(500);
+        } catch {}
+      }
+    });
   } catch {
     // agy session hooks are observational and must never block the session.
   }

package/hooks/subagent-tracker.mjs

@@ -16,7 +16,11 @@ import { dirname, join } from "node:path";
 const STATE_VERSION = 1;
 const DEFAULT_TTL_MS = 2 * 60 * 60 * 1000;
 const MAX_COMPLETED = 20;
-const DEFAULT_LOCK_TIMEOUT_MS = 750;
+// Lifecycle hooks are best-effort, but under CI/Linux process contention a
+// 30-way SubagentStart burst can legitimately take around a second to drain.
+// Keep this bounded so hooks do not hang indefinitely, while avoiding silent
+// lifecycle drops during normal high-concurrency fan-out.
+const DEFAULT_LOCK_TIMEOUT_MS = 3000;
 const LOCK_RETRY_MS = 20;
 
 function readStdin() {
@@ -96,6 +100,16 @@ function withStateLock(statePath, fn, timeoutMs = DEFAULT_LOCK_TIMEOUT_MS) {
   }
 }
 
+function lockTimeoutMsFromOptions(opts = {}) {
+  if (Number.isFinite(opts.lockTimeoutMs)) return opts.lockTimeoutMs;
+  const raw = opts.env?.TRIFLUX_SUBAGENT_LOCK_TIMEOUT_MS;
+  if (raw === undefined || raw === "") return DEFAULT_LOCK_TIMEOUT_MS;
+  const parsed = Number(raw);
+  return Number.isFinite(parsed) && parsed > 0
+    ? Math.trunc(parsed)
+    : DEFAULT_LOCK_TIMEOUT_MS;
+}
+
 function lifecycleKey(input) {
   if (typeof input.agent_id === "string" && input.agent_id.trim()) {
     return input.agent_id;
@@ -241,7 +255,7 @@ export function recordLifecycle(input, opts = {}) {
       writeState(statePath, state);
       return output;
     },
-    opts.lockTimeoutMs,
+    lockTimeoutMsFromOptions(opts),
   );
 }
 

package/hub/team/claude-daemon-control.mjs

@@ -468,21 +468,29 @@ export function sendClaudeControlRequest(
 // 인증 미강제 daemon 으로 보고 auth 필드를 생략한다 (fail-open — 구버전 호환).
 export async function readDaemonControlKey(
   configDir = resolveClaudeConfigDir(),
+  { diagnostics } = {},
 ) {
+  if (!configDir) return undefined;
+  const keyPath = path.join(configDir, "daemon", "control.key");
   try {
-    const key = await fs.readFile(
-      path.join(configDir, "daemon", "control.key"),
-      "utf8",
-    );
+    const key = await fs.readFile(keyPath, "utf8");
     return key.trim() || undefined;
-  } catch {
+  } catch (error) {
+    if (error?.code === "ENOENT") return undefined;
+    if (Array.isArray(diagnostics)) {
+      diagnostics.push({
+        code: error?.code || "UNKNOWN",
+        path: keyPath,
+        message: error?.message || String(error),
+      });
+    }
     return undefined;
   }
 }
 
-export async function buildDaemonControlAuth(configDir) {
+export async function buildDaemonControlAuth(configDir, opts = {}) {
   if (!configDir) return {};
-  const auth = await readDaemonControlKey(configDir);
+  const auth = await readDaemonControlKey(configDir, opts);
   return auth ? { auth } : {};
 }
 

package/hud/providers/gemini.mjs

@@ -197,6 +197,8 @@ export function deriveGeminiFamilyBucket(buckets) {
 
 export function buildGeminiAuthContext(accountId) {
   let oauth = readJson(GEMINI_OAUTH_PATH, null);
+  let authSource = oauth?.access_token ? "gemini-file" : "none";
+  let expiryMissing = oauth?.access_token ? oauth.expiry_date == null : false;
   const fileExpired =
     oauth?.expiry_date != null && oauth.expiry_date < Date.now();
   // Preserve a valid Gemini file token; agy Keychain is only a missing/expired fallback.
@@ -209,13 +211,15 @@ export function buildGeminiAuthContext(accountId) {
         ...fileRest
       } = oauth || {};
       oauth = { ...fileRest, ...keychainOAuth };
+      authSource = "antigravity-keychain";
+      expiryMissing = keychainOAuth.expiry_date == null;
     }
   }
   const tokenSource =
     oauth?.refresh_token || oauth?.id_token || oauth?.access_token || "";
   const tokenFingerprint = tokenSource ? makeHash(tokenSource) : "none";
   const cacheKey = `${accountId || "gemini-main"}::${tokenFingerprint}`;
-  return { oauth, tokenFingerprint, cacheKey };
+  return { oauth, tokenFingerprint, cacheKey, authSource, expiryMissing };
 }
 
 function firstPresent(...values) {
@@ -305,12 +309,76 @@ function getAntigravityTokenFromKeychain() {
   }
 }
 
+export function classifyGeminiQuotaFailure(response, authContext = {}) {
+  if (!response) return "network";
+  const error = response?.error || {};
+  const code = Number(error.code ?? response.code ?? response.status);
+  const status = String(error.status || response.status || "").toUpperCase();
+  const message = String(
+    error.message || error.code || response.error || response.message || "",
+  );
+  if (
+    code === 401 ||
+    code === 403 ||
+    status === "UNAUTHENTICATED" ||
+    status === "PERMISSION_DENIED" ||
+    /(unauthorized|forbidden|invalid authentication|invalid credentials|oauth|token|credential|auth)/i.test(
+      message,
+    )
+  ) {
+    return "auth";
+  }
+  if (
+    authContext.authSource === "antigravity-keychain" &&
+    authContext.expiryMissing === true &&
+    /(expired|invalid|unauthenticated|permission denied)/i.test(message)
+  ) {
+    return "auth";
+  }
+  return "api";
+}
+
+function formatGeminiQuotaFailure(response, authContext = {}, stage = "quota") {
+  const error =
+    response?.error?.message ||
+    response?.error?.status ||
+    response?.error?.code ||
+    response?.error ||
+    response?.message ||
+    "no buckets in response";
+  const base = String(error);
+  if (
+    authContext.authSource === "antigravity-keychain" &&
+    authContext.expiryMissing === true
+  ) {
+    return `expiry-less Antigravity Keychain token failed bounded ${stage} freshness probe: ${base}`;
+  }
+  return base;
+}
+
+function writeGeminiQuotaErrorCache(cache, authContext, errorType, errorHint) {
+  const sameKey = cache?.cacheKey === authContext.cacheKey;
+  writeJsonSafe(GEMINI_QUOTA_CACHE_PATH, {
+    ...(sameKey ? cache || {} : {}),
+    timestamp: sameKey && cache?.timestamp ? cache.timestamp : Date.now(),
+    cacheKey: authContext.cacheKey,
+    accountId: authContext.accountId || "gemini-main",
+    tokenFingerprint: authContext.tokenFingerprint,
+    authSource: authContext.authSource,
+    expiryMissing: authContext.expiryMissing === true,
+    error: true,
+    errorType,
+    errorHint,
+  });
+}
+
 // ============================================================================
 // Gemini 쿼터 API 호출 (5분 캐시)
 // ============================================================================
 export async function fetchGeminiQuota(accountId, options = {}) {
   const authContext = options.authContext || buildGeminiAuthContext(accountId);
   const { oauth, tokenFingerprint, cacheKey } = authContext;
+  authContext.accountId = accountId || "gemini-main";
   const forceRefresh = options.forceRefresh === true;
 
   // 1. 캐시 확인 (계정/토큰별)
@@ -330,35 +398,34 @@ export async function fetchGeminiQuota(accountId, options = {}) {
 
   if (!oauth?.access_token) {
     // access_token 없음: 에러 힌트를 캐시에 기록하고 stale 캐시 반환
-    writeJsonSafe(GEMINI_QUOTA_CACHE_PATH, {
-      ...(cache || {}),
-      timestamp: cache?.timestamp || Date.now(),
-      error: true,
-      errorType: "auth",
-      errorHint: "no access_token in oauth_creds.json",
-    });
+    writeGeminiQuotaErrorCache(
+      cache,
+      authContext,
+      "auth",
+      "no access_token in oauth_creds.json",
+    );
     return cache;
   }
   if (oauth.expiry_date && oauth.expiry_date < Date.now()) {
     // OAuth 토큰 만료: 에러 힌트를 캐시에 기록 (refresh_token 갱신은 Gemini CLI 담당)
-    writeJsonSafe(GEMINI_QUOTA_CACHE_PATH, {
-      ...(cache || {}),
-      timestamp: cache?.timestamp || Date.now(),
-      error: true,
-      errorType: "auth",
-      errorHint: `token expired at ${new Date(oauth.expiry_date).toISOString()}`,
-    });
+    writeGeminiQuotaErrorCache(
+      cache,
+      authContext,
+      "auth",
+      `token expired at ${new Date(oauth.expiry_date).toISOString()}`,
+    );
     return cache;
   }
 
   // 3. projectId (캐시 or API)
+  let loadCodeAssistResponse = null;
   const fetchProjectId = async () => {
-    const loadRes = await httpsPost(
+    loadCodeAssistResponse = await httpsPost(
       "https://cloudcode-pa.googleapis.com/v1internal:loadCodeAssist",
       { metadata: { pluginType: "GEMINI" } },
       oauth.access_token,
     );
-    const id = loadRes?.cloudaicompanionProject;
+    const id = loadCodeAssistResponse?.cloudaicompanionProject;
     if (id)
       writeJsonSafe(GEMINI_PROJECT_CACHE_PATH, {
         cacheKey,
@@ -376,7 +443,19 @@ export async function fetchGeminiQuota(accountId, options = {}) {
   let projectId =
     projCache?.cacheKey === cacheKey ? projCache?.projectId : null;
   if (!projectId) projectId = await fetchProjectId();
-  if (!projectId) return cache;
+  if (!projectId) {
+    writeGeminiQuotaErrorCache(
+      cache,
+      authContext,
+      classifyGeminiQuotaFailure(loadCodeAssistResponse, authContext),
+      formatGeminiQuotaFailure(
+        loadCodeAssistResponse,
+        authContext,
+        "loadCodeAssist",
+      ),
+    );
+    return cache;
+  }
 
   // 4. retrieveUserQuota 호출
   let quotaRes = await httpsPost(
@@ -388,7 +467,19 @@ export async function fetchGeminiQuota(accountId, options = {}) {
   // projectId 캐시가 만료/변경된 경우 1회 재시도
   if (!quotaRes?.buckets && projCache?.projectId) {
     projectId = await fetchProjectId();
-    if (!projectId) return cache;
+    if (!projectId) {
+      writeGeminiQuotaErrorCache(
+        cache,
+        authContext,
+        classifyGeminiQuotaFailure(loadCodeAssistResponse, authContext),
+        formatGeminiQuotaFailure(
+          loadCodeAssistResponse,
+          authContext,
+          "loadCodeAssist",
+        ),
+      );
+      return cache;
+    }
     quotaRes = await httpsPost(
       "https://cloudcode-pa.googleapis.com/v1internal:retrieveUserQuota",
       { project: projectId },
@@ -398,18 +489,12 @@ export async function fetchGeminiQuota(accountId, options = {}) {
 
   if (!quotaRes?.buckets) {
     // API 응답에 buckets 없음: 에러 코드 또는 응답 내용을 캐시에 기록
-    const apiError =
-      quotaRes?.error?.message ||
-      quotaRes?.error?.code ||
-      quotaRes?.error ||
-      "no buckets in response";
-    writeJsonSafe(GEMINI_QUOTA_CACHE_PATH, {
-      ...(cache || {}),
-      timestamp: cache?.timestamp || Date.now(),
-      error: true,
-      errorType: "api",
-      errorHint: String(apiError),
-    });
+    writeGeminiQuotaErrorCache(
+      cache,
+      authContext,
+      classifyGeminiQuotaFailure(quotaRes, authContext),
+      formatGeminiQuotaFailure(quotaRes, authContext, "quota"),
+    );
     return cache;
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@triflux/core",
-  "version": "10.37.0",
+  "version": "10.38.0",
   "description": "triflux core — CLI routing, pipeline, adapters. Zero native dependencies.",
   "type": "module",
   "main": "hub/index.mjs",