@venturewild/workspace 0.2.0 → 0.2.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@venturewild/workspace",
-  "version": "0.2.0",
+  "version": "0.2.2",
   "description": "Claude Code Web — Replit/Lovable-style chat-first browser UI that wraps the AI agent already installed on your machine.",
   "license": "MIT",
   "bin": {

package/server/bin/wild-workspace.mjs

@@ -23,6 +23,12 @@ import { appendLine, listLogs, tailFile } from '../src/logpaths.mjs';
 import { runDoctor, renderDoctor, writeDoctorBundle } from '../src/doctor.mjs';
 import { enableOperator, disableOperator, operatorStatus } from '../src/operator.mjs';
 import { loadObservabilityConsent, setObservabilityConsent } from '../src/observability.mjs';
+import {
+  AutoUpdater, PACKAGE_NAME, npmInstall, recordUpdate,
+  loadUpdateSettings, setUpdateEnabled, setUpdateChannel,
+} from '../src/auto-update.mjs';
+import { openOwnerBrowser } from '../src/owner-browser.mjs';
+import { planReset, applyReset, RESET_KEEPS } from '../src/reset.mjs';
 
 const __filename = url.fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
@@ -44,6 +50,8 @@ Usage:
   wild-workspace login <payload>  bind this install to a slug
                                   (paste the blob from workspace.venturewild.llc)
   wild-workspace logout           clear the bound account (slug + token)
+  wild-workspace reset [--yes]    back to the beginning: unlink + reset onboarding +
+                                  flush local config (preview without --yes; keeps your files)
   wild-workspace whoami           show the currently-bound account
   wild-workspace rotate-token     mint a new account token; invalidates the old one
   wild-workspace doctor [--share] diagnose this machine's install (✅/⚠️/❌ + logs)
@@ -52,6 +60,9 @@ Usage:
   wild-workspace operator disable revoke the support token
   wild-workspace operator status  is the support channel on?
   wild-workspace observability [on|off|status]   share session + install health so we can help (default on; never chat content)
+  wild-workspace update [apply]   check for / install a newer version (auto by default)
+  wild-workspace update on|off    toggle background auto-update
+  wild-workspace update channel stable|beta   choose the update channel
   wild-workspace service install  keep your workspace always-on (starts at login, no admin)
   wild-workspace service uninstall   turn always-on off
   wild-workspace service status   show always-on status (installed? supervisor? server?)
@@ -84,6 +95,7 @@ function parseArgs(argv) {
     else if (arg === '--tail') { opts.tail = Number(argv[++i]); }
     else if (arg === '--share') { opts.share = true; }
     else if (arg === '--rotate') { opts.rotate = true; }
+    else if (arg === '--yes' || arg === '-y') { opts.yes = true; }
     else if (arg === '--kind') { opts.kind = argv[++i]; }
     else if (arg === '--limit') { opts.limit = Number(argv[++i]); }
     else if (arg.startsWith('--')) {
@@ -278,6 +290,73 @@ async function runLogoutCommand() {
   console.log(`logged out — cleared ${before?.email || 'account'} from ${config.dataDir}.`);
 }
 
+// `wild-workspace reset [--yes]` — back to the beginning: unlink the account,
+// reset onboarding, flush local config/state. NEVER touches workspace files.
+// Without --yes it's a dry run (prints exactly what it WOULD remove).
+async function runResetCommand(opts) {
+  const config = buildConfig(opts);
+  const gdir = globalDir();
+  const before = loadAccount(config.dataDir);
+
+  // Collect every data dir that might hold this install's account/onboarding:
+  // the one this invocation resolves (cwd-keyed) + the always-on workspace's
+  // (recorded in service.json), in case `reset` is run from a different folder.
+  const dataDirs = new Set([config.dataDir]);
+  try {
+    const svc = JSON.parse(readFileSync(path.join(gdir, 'service.json'), 'utf8'));
+    if (svc.workspaceDir) dataDirs.add(path.join(path.resolve(svc.workspaceDir), '.wild-workspace'));
+  } catch { /* no always-on registration — fine */ }
+
+  const targets = planReset({ dataDirs: [...dataDirs], globalDir: gdir, includeMarketplace: true });
+  const present = targets.filter((t) => t.exists);
+
+  console.log('wild-workspace reset — back to the beginning\n');
+  if (before) {
+    console.log(`  currently linked: ${before.email}  (slug: ${before.slug})`);
+    console.log('');
+  }
+  if (present.length === 0) {
+    console.log('  Nothing to clear — this install is already at a clean state.');
+    return;
+  }
+
+  console.log(`  ${opts.yes ? 'Removing' : 'Would remove'}:`);
+  for (const t of present) console.log(`    - ${t.path}${t.kind === 'dir' ? '  (folder)' : ''}`);
+  console.log('');
+  console.log('  Keeps (untouched):');
+  for (const k of RESET_KEEPS) console.log(`    · ${k}`);
+  console.log('');
+
+  if (!opts.yes) {
+    console.log('  This was a PREVIEW. Re-run to actually reset:');
+    console.log('    wild-workspace reset --yes');
+    return;
+  }
+
+  const { removed, failed } = applyReset(present);
+  console.log(`  ✓ cleared ${removed.length} item(s).`);
+  if (failed.length) {
+    console.log(`  ⚠ ${failed.length} could not be removed (in use? close the app + retry):`);
+    for (const f of failed) console.log(`    - ${f.path}: ${f.error}`);
+    process.exitCode = 1;
+  }
+  console.log('');
+  // The running server still holds the old account/secrets in memory — a restart
+  // is what makes the reset take effect (and re-arms a fresh onboarding).
+  if (await probeHealth(config.port)) {
+    console.log('  ⚠ a workspace server is still running with the old state. Restart it:');
+    console.log(`     stop it (close the app / kill :${config.port}); always-on restarts it clean,`);
+    console.log('     or run `wild-workspace` yourself.');
+    console.log('');
+  }
+  console.log('  Next:');
+  console.log('    • `wild-workspace login <blob>`  — re-link to a slug, then `wild-workspace`');
+  console.log('    • or just `wild-workspace`       — start fresh and re-run onboarding');
+  console.log('');
+  console.log('  Note: the canvas LAYOUT is stored in your browser, not here — open the');
+  console.log('  workspace in a fresh/incognito window (or clear site data) for a blank canvas.');
+}
+
 async function runRotateTokenCommand() {
   const config = buildConfig({});
   const account = loadAccount(config.dataDir);
@@ -527,6 +606,67 @@ async function runObservabilityCommand(action = 'status', opts = {}) {
   return;
 }
 
+// `wild-workspace update [apply|on|off|channel <stable|beta>]` — Phase 2
+// auto-update (docs/remote-support-and-self-healing-design.md). With no
+// sub-command it checks the channel for a newer release; `apply` installs it now;
+// `on`/`off` toggle the default-on background updater; `channel` switches
+// stable/beta. The always-on supervisor does this automatically — this is the
+// manual lever + the off switch.
+async function runUpdateCommand(opts) {
+  const sub = opts.positional[1];
+  const gdir = globalDir();
+
+  if (sub === 'on' || sub === 'off') {
+    const rec = setUpdateEnabled(gdir, sub === 'on');
+    console.log(
+      rec.enabled
+        ? '✓ auto-update ON — wild-workspace keeps itself up to date in the background.'
+        : '✓ auto-update OFF — update manually with `wild-workspace update apply`.',
+    );
+    console.log(`  channel: ${rec.channel}`);
+    return;
+  }
+  if (sub === 'channel') {
+    const chan = opts.positional[2];
+    if (chan !== 'stable' && chan !== 'beta') {
+      console.log('usage: wild-workspace update channel stable|beta');
+      return;
+    }
+    console.log(`✓ update channel set to ${setUpdateChannel(gdir, chan).channel}.`);
+    return;
+  }
+
+  const settings = loadUpdateSettings(gdir);
+  const c = await new AutoUpdater({ globalDir: gdir }).check();
+  console.log(`wild-workspace ${c.current}  (channel: ${c.channel}, auto-update: ${settings.enabled ? 'on' : 'off'})`);
+  if (!c.latest) {
+    console.log('  could not reach the npm registry to check for updates.');
+    process.exitCode = 1;
+    return;
+  }
+  if (!c.available) {
+    console.log(`  up to date — ${c.latest} is the latest on ${c.channel}.`);
+    return;
+  }
+  console.log(`  update available: ${c.current} → ${c.latest}`);
+  if (sub !== 'apply') {
+    console.log('  run `wild-workspace update apply` to install it now.');
+    return;
+  }
+  console.log(`  installing ${c.latest}…`);
+  const res = await npmInstall(`${PACKAGE_NAME}@${c.latest}`);
+  if (res.code === 0) {
+    recordUpdate(gdir, { from: c.current, to: c.latest, at: Date.now(), status: 'installed' });
+    console.log(`  ✓ installed ${c.latest}.`);
+    console.log('  The always-on supervisor will restart into the new version shortly,');
+    console.log('  or restart `wild-workspace` yourself to use it now.');
+  } else {
+    console.log(`  ✗ install failed (code ${res.code}).`);
+    if (res.output) console.log('  ' + res.output.split('\n').filter(Boolean).slice(-3).join('\n  '));
+    process.exitCode = 1;
+  }
+}
+
 // `wild-workspace operator [enable|disable|status]` — the consented support
 // channel (docs/SECURITY.md). OFF by default; `enable` mints a token to hand to
 // the wild-workspace team so they can diagnose + run a fixed set of safe fixes.
@@ -570,81 +710,8 @@ async function runOperatorCommand(action = 'status', opts = {}) {
 // autostart (docs/always-on-design.md). `run` is the HIDDEN supervisor entry
 // the per-OS launcher invokes at login; the others manage registration. All
 // per-user, no admin.
-// The URL to open for the LOCAL owner. A slug-linked install runs in public
-// mode (the server denies anon — C1), so the owner must authenticate: append
-// the partner token, which the SPA immediately exchanges for an HttpOnly cookie
-// and strips from the address bar (S1). A localhost-only install needs no token.
-// The token is only ever placed in the URL we hand the browser — never printed.
-function localBrowserUrl(config) {
-  const host = config.host === '0.0.0.0' ? '127.0.0.1' : config.host;
-  const base = `http://${host}:${config.port}`;
-  return config.publicMode ? `${base}/?t=${encodeURIComponent(config.partnerToken)}` : base;
-}
-
-// Ask the running local server (over genuine loopback) for a one-time sign-in
-// link to the PUBLIC url. Returns the URL or null (no slug / older server).
-async function fetchPublicBootstrapUrl(config) {
-  const host = config.host === '0.0.0.0' ? '127.0.0.1' : config.host;
-  try {
-    const ac = new AbortController();
-    const t = setTimeout(() => ac.abort(), 4000);
-    const r = await fetch(`http://${host}:${config.port}/api/auth/bootstrap`, {
-      method: 'POST',
-      signal: ac.signal,
-    });
-    clearTimeout(t);
-    if (!r.ok) return null;
-    const body = await r.json().catch(() => ({}));
-    return typeof body.url === 'string' ? body.url : null;
-  } catch {
-    return null;
-  }
-}
-
-// Poll the public url's /api/health until the tunnel forwards (200) or we give
-// up — so we never open the owner onto a 502 "warming up" page.
-async function publicTunnelReady(shareBaseUrl, { tries = 6, gapMs = 1300 } = {}) {
-  const base = String(shareBaseUrl || '').replace(/\/$/, '');
-  if (!/^https?:\/\//.test(base)) return false;
-  for (let i = 0; i < tries; i += 1) {
-    try {
-      const ac = new AbortController();
-      const t = setTimeout(() => ac.abort(), 2500);
-      const r = await fetch(`${base}/api/health`, { signal: ac.signal });
-      clearTimeout(t);
-      if (r.ok) return true;
-    } catch { /* not up yet */ }
-    if (i < tries - 1) await new Promise((res) => setTimeout(res, gapMs));
-  }
-  return false;
-}
-
-// Open the owner's browser the friendliest way for THIS install:
-//  - slug-linked + public: land them signed-in on <slug>.venturewild.llc (their
-//    real, bookmarkable home) via a one-time bootstrap link, once the tunnel is
-//    confirmed up. If it isn't ready yet, fall back to localhost (always works
-//    locally) and tell them their public url is warming up.
-//  - localhost-only: just open localhost.
-// Tokens only ever reach the browser via open() — never printed to stdout (B1/S1).
-async function openOwnerBrowser(config) {
-  let open;
-  try { open = (await import('open')).default; } catch { return; }
-  const slugLinked = config.publicMode && config.account?.slug && config.shareBaseUrl;
-  if (slugLinked) {
-    const url = await fetchPublicBootstrapUrl(config);
-    if (url && (await publicTunnelReady(config.shareBaseUrl))) {
-      console.log(`  opening your workspace at ${config.shareBaseUrl} …`);
-      try { await open(url); } catch { /* best-effort */ }
-      return;
-    }
-    // Tunnel not up yet (or older server) — open locally so first run is never a
-    // dead page; the public url comes alive on its own as the daemon links.
-    try { await open(localBrowserUrl(config)); } catch { /* best-effort */ }
-    console.log(`  your workspace will be live at ${config.shareBaseUrl} shortly (warming up the tunnel)…`);
-    return;
-  }
-  try { await open(localBrowserUrl(config)); } catch { /* best-effort */ }
-}
+// First-run browser orchestration lives in a shebang-free module so it's
+// importable + unit-testable (server/test/owner-browser.test.mjs).
 
 async function runServiceCommand(action = 'status', opts = {}) {
   const config = buildConfig(opts);
@@ -720,6 +787,9 @@ async function main() {
   if (opts.positional[0] === 'logout') {
     return runLogoutCommand();
   }
+  if (opts.positional[0] === 'reset') {
+    return runResetCommand(opts);
+  }
   if (opts.positional[0] === 'whoami') {
     return runWhoamiCommand();
   }
@@ -732,6 +802,9 @@ async function main() {
   if (opts.positional[0] === 'logs') {
     return runLogsCommand(opts);
   }
+  if (opts.positional[0] === 'update') {
+    return runUpdateCommand(opts);
+  }
   if (opts.positional[0] === 'operator') {
     return runOperatorCommand(opts.positional[1], opts);
   }

package/server/src/auto-update.mjs

@@ -0,0 +1,277 @@
+// AutoUpdater — Phase 2 (Pillar B) of the self-healing epic
+// (docs/remote-support-and-self-healing-design.md). Kills the manual `npm i -g`
+// re-install treadmill that turned the first external install into a copy-paste
+// marathon: the always-on supervisor periodically checks the published version on
+// the user's channel, and on a new release it installs it, restarts the supervised
+// server (reusing the version-drift restart RC1b already ships), health-checks the
+// result, and ROLLS BACK to the pinned previous version if the new one doesn't come
+// up healthy.
+//
+// Tuan's locked decisions (design doc Part 6): auto-update is DEFAULT-ON (the
+// OneDrive bar — it just updates itself) with a visible "updated to vX" note + an
+// off switch; channels are `stable` (default) and `beta` (opt-in).
+//
+// Like observability.mjs/operator.mjs, settings live in their own file in the
+// machine-global dir (~/.wild-workspace, NEVER the synced workspace — locked
+// principle #1) so they survive the supervisor relaunching from a different cwd.
+//
+// Every external touch-point (npm install, registry fetch, health probe, restart,
+// clock, sleep) is an injected seam so the suite never spawns a process, hits the
+// network, or actually waits.
+
+import { spawn } from 'node:child_process';
+import fs from 'node:fs';
+import path from 'node:path';
+import { globalDir as defaultGlobalDir } from './logpaths.mjs';
+import { installedVersion, probeHealthVersion } from './supervisor.mjs';
+import { ensureToolPath } from './agent.mjs';
+
+export const PACKAGE_NAME = '@venturewild/workspace';
+const DEFAULT_CHECK_INTERVAL_MS = 6 * 60 * 60 * 1000; // 6h — releases are not frequent
+
+// --- persisted settings (~/.wild-workspace/update.json) ----------------------
+
+function updateFile(dir) { return path.join(dir, 'update.json'); }
+
+/**
+ * DEFAULT-ON: an absent file means "auto-update enabled, stable channel" — the
+ * disclosure rides onboarding + the visible update note, mirroring observability.
+ */
+export function loadUpdateSettings(dir = defaultGlobalDir()) {
+  try {
+    const p = JSON.parse(fs.readFileSync(updateFile(dir), 'utf8'));
+    return {
+      enabled: p.enabled !== false,
+      channel: p.channel === 'beta' ? 'beta' : 'stable',
+      lastCheckAt: Number(p.lastCheckAt) || 0,
+      lastUpdate: p.lastUpdate || null, // { from, to, at, status }
+    };
+  } catch {
+    return { enabled: true, channel: 'stable', lastCheckAt: 0, lastUpdate: null };
+  }
+}
+
+function writeSettings(dir, rec) {
+  try {
+    fs.mkdirSync(dir, { recursive: true });
+    fs.writeFileSync(updateFile(dir), JSON.stringify(rec, null, 2), { mode: 0o600 });
+  } catch {
+    /* read-only fs — fall back to in-memory for this run */
+  }
+  return rec;
+}
+
+export function setUpdateEnabled(dir, enabled) {
+  return writeSettings(dir, { ...loadUpdateSettings(dir), enabled: Boolean(enabled) });
+}
+export function setUpdateChannel(dir, channel) {
+  return writeSettings(dir, { ...loadUpdateSettings(dir), channel: channel === 'beta' ? 'beta' : 'stable' });
+}
+export function touchLastCheck(dir, at) {
+  return writeSettings(dir, { ...loadUpdateSettings(dir), lastCheckAt: at });
+}
+/** Record the outcome of an update attempt; returns the stored record. */
+export function recordUpdate(dir, rec) {
+  return writeSettings(dir, { ...loadUpdateSettings(dir), lastUpdate: rec }).lastUpdate;
+}
+
+// --- semver compare (no dep) -------------------------------------------------
+
+function parseVersion(v) {
+  const [core, pre = ''] = String(v).replace(/^v/, '').split('-');
+  const nums = core.split('.').map((n) => parseInt(n, 10) || 0);
+  while (nums.length < 3) nums.push(0);
+  return { nums, pre };
+}
+
+/** True iff version `a` is strictly newer than `b` (good enough for dist-tags). */
+export function isNewer(a, b) {
+  if (!a || !b) return false;
+  const pa = parseVersion(a), pb = parseVersion(b);
+  for (let i = 0; i < 3; i++) {
+    if (pa.nums[i] !== pb.nums[i]) return pa.nums[i] > pb.nums[i];
+  }
+  // Equal core: a release (no prerelease) outranks a prerelease; else lexical.
+  if (pa.pre && !pb.pre) return false;
+  if (!pa.pre && pb.pre) return true;
+  if (pa.pre && pb.pre) return pa.pre > pb.pre;
+  return false; // identical
+}
+
+// --- registry + npm primitives -----------------------------------------------
+
+/**
+ * The version published on `channel`'s dist-tag (stable→latest, beta→beta), or
+ * null on any failure. Uses the abbreviated registry document (smaller payload).
+ */
+export async function fetchLatestVersion(channel, {
+  fetchImpl = fetch, packageName = PACKAGE_NAME, timeoutMs = 8000,
+} = {}) {
+  const tag = channel === 'beta' ? 'beta' : 'latest';
+  const ctrl = new AbortController();
+  const t = setTimeout(() => ctrl.abort(), timeoutMs);
+  try {
+    const res = await fetchImpl(`https://registry.npmjs.org/${packageName.replace('/', '%2f')}`, {
+      signal: ctrl.signal,
+      headers: { accept: 'application/vnd.npm.install-v1+json' },
+    });
+    if (!res || !res.ok) return null;
+    const body = await res.json();
+    return body?.['dist-tags']?.[tag] || null;
+  } catch {
+    return null;
+  } finally {
+    clearTimeout(t);
+  }
+}
+
+/** Run `npm i -g <spec>`. Resolves {code, output, timedOut?, error?}; never rejects. */
+export function npmInstall(spec, {
+  spawnImpl = spawn, timeoutMs = 180000, ensurePathImpl = ensureToolPath, env = process.env,
+} = {}) {
+  return new Promise((resolve) => {
+    const cmd = process.platform === 'win32' ? 'npm.cmd' : 'npm';
+    // The always-on supervisor (our caller in the field) runs under launchd/GUI,
+    // which inherits a MINIMAL PATH omitting ~/.npm-global, /usr/local/bin,
+    // Homebrew, nvm — so a bare `npm` spawn would ENOENT (the 0.1.8 `claude`
+    // bug class). Augment PATH the same way agent.mjs does before spawning. We
+    // copy env so we never mutate the caller's process.env.
+    const childEnv = { ...env };
+    try { ensurePathImpl(childEnv); } catch { /* best-effort — fall back to inherited PATH */ }
+    let child;
+    try {
+      child = spawnImpl(cmd, ['i', '-g', spec], { windowsHide: true, env: childEnv });
+    } catch (e) {
+      return resolve({ code: -1, error: e?.message || String(e), output: '' });
+    }
+    let out = '';
+    const cap = (d) => { out += String(d); if (out.length > 20000) out = out.slice(-20000); };
+    child.stdout?.on?.('data', cap);
+    child.stderr?.on?.('data', cap);
+    const timer = setTimeout(() => { try { child.kill?.(); } catch { /* gone */ } resolve({ code: -1, timedOut: true, output: out }); }, timeoutMs);
+    child.on?.('exit', (code) => { clearTimeout(timer); resolve({ code, output: out }); });
+    child.on?.('error', (e) => { clearTimeout(timer); resolve({ code: -1, error: e?.message || String(e), output: out }); });
+  });
+}
+
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+
+// --- the updater -------------------------------------------------------------
+
+export class AutoUpdater {
+  constructor({
+    globalDir = defaultGlobalDir(),
+    packageName = PACKAGE_NAME,
+    port = Number(process.env.WILD_WORKSPACE_PORT || 5173),
+    installedVersionImpl = () => installedVersion(),
+    fetchLatestImpl = fetchLatestVersion,
+    installImpl = npmInstall,
+    // Ask the owner (the supervisor) to restart the server child so the freshly
+    // installed code is loaded. Default no-op for standalone/manual use.
+    restartImpl = async () => {},
+    // Read the RUNNING server's version (probeHealthVersion bound to our port).
+    healthVersionImpl = (port_) => probeHealthVersion(port_),
+    nowImpl = () => Date.now(),
+    logImpl = () => {},
+    env = process.env,
+    checkIntervalMs = DEFAULT_CHECK_INTERVAL_MS,
+    verifyAttempts = 10,
+    verifyDelayMs = 3000,
+    sleepImpl = sleep,
+    onUpdate = null, // (rec) => void — surface the "updated to vX" note
+  } = {}) {
+    Object.assign(this, {
+      globalDir, packageName, port, installedVersionImpl, fetchLatestImpl, installImpl,
+      restartImpl, healthVersionImpl, nowImpl, logImpl, env,
+      checkIntervalMs, verifyAttempts, verifyDelayMs, sleepImpl, onUpdate,
+    });
+    this.inProgress = false;
+  }
+
+  enabled() {
+    if (this.env.WILD_WORKSPACE_NO_AUTOUPDATE === '1') return false; // hard kill switch
+    return loadUpdateSettings(this.globalDir).enabled;
+  }
+
+  channel() { return loadUpdateSettings(this.globalDir).channel; }
+
+  dueForCheck(settings = loadUpdateSettings(this.globalDir)) {
+    return this.nowImpl() - (settings.lastCheckAt || 0) >= this.checkIntervalMs;
+  }
+
+  /** What's installed vs what's published — { current, latest, channel, available }. */
+  async check() {
+    const current = this.installedVersionImpl();
+    const channel = this.channel();
+    const latest = await this.fetchLatestImpl(channel, { packageName: this.packageName });
+    return { current, latest, channel, available: isNewer(latest, current) };
+  }
+
+  /** Poll the running server until it reports `expected`, up to verifyAttempts. */
+  async verify(expected) {
+    for (let i = 0; i < this.verifyAttempts; i++) {
+      let running = null;
+      try { running = await this.healthVersionImpl(this.port); } catch { running = null; }
+      if (running && running === expected) return true;
+      await this.sleepImpl(this.verifyDelayMs);
+    }
+    return false;
+  }
+
+  /**
+   * Install `target`, restart, verify healthy; on failure roll back to `from`.
+   * Returns { ok, stage?, rolledBack?, rec }. Records the outcome to update.json.
+   */
+  async applyUpdate(target, { from } = {}) {
+    this.logImpl(`auto-update: installing ${this.packageName}@${target} (from ${from || 'unknown'})`);
+    const install = await this.installImpl(`${this.packageName}@${target}`);
+    if (install.code !== 0) {
+      this.logImpl(`auto-update: install failed code=${install.code}${install.timedOut ? ' (timeout)' : ''}`);
+      const rec = recordUpdate(this.globalDir, { from, to: target, at: this.nowImpl(), status: 'install-failed' });
+      this.onUpdate?.(rec);
+      return { ok: false, stage: 'install', install, rec };
+    }
+    await this.restartImpl();
+    if (await this.verify(target)) {
+      this.logImpl(`auto-update: now running ${target}`);
+      const rec = recordUpdate(this.globalDir, { from, to: target, at: this.nowImpl(), status: 'ok' });
+      this.onUpdate?.(rec);
+      return { ok: true, rec };
+    }
+    // New version didn't come up healthy → roll back to the pinned previous.
+    this.logImpl(`auto-update: ${target} unhealthy — rolling back to ${from}`);
+    let rolledBack = false;
+    if (from) {
+      const rb = await this.installImpl(`${this.packageName}@${from}`);
+      if (rb.code === 0) { await this.restartImpl(); rolledBack = await this.verify(from); }
+    }
+    const status = rolledBack ? 'rolled-back' : 'rollback-failed';
+    this.logImpl(`auto-update: ${status} (target ${target})`);
+    const rec = recordUpdate(this.globalDir, { from, to: target, at: this.nowImpl(), status });
+    this.onUpdate?.(rec);
+    return { ok: false, stage: 'verify', rolledBack, rec };
+  }
+
+  /**
+   * One auto-update cycle, called on the supervisor's slow timer. Self-rate-limits
+   * via dueForCheck so the timer cadence and the check interval are independent.
+   * Returns a short status string (exposed for tests/logging).
+   */
+  async tick() {
+    if (this.inProgress) return 'busy';
+    if (!this.enabled()) return 'disabled';
+    if (!this.dueForCheck()) return 'not-due';
+    this.inProgress = true;
+    try {
+      touchLastCheck(this.globalDir, this.nowImpl());
+      const c = await this.check();
+      if (!c.latest) return 'check-failed';
+      if (!c.available) return 'up-to-date';
+      this.logImpl(`auto-update: ${c.current} → ${c.latest} (${c.channel})`);
+      const r = await this.applyUpdate(c.latest, { from: c.current });
+      return r.ok ? 'updated' : (r.rolledBack ? 'rolled-back' : 'failed');
+    } finally {
+      this.inProgress = false;
+    }
+  }
+}

package/server/src/config.mjs

@@ -312,6 +312,12 @@ export function buildConfig(overrides = {}) {
       overrides.operatorToken ??
       env.WILD_WORKSPACE_OPERATOR_TOKEN ??
       loadOperatorToken(dataDir),
+    // RC1 hot-reload seam: the EXPLICIT token (override or env), with NO disk read.
+    // When this is null the live auth path re-reads the token file on each request
+    // (getOperatorToken) so `operator enable` takes effect with no restart; when a
+    // test/env pins a token, that value stays authoritative. (See index.mjs.)
+    operatorTokenExplicit:
+      overrides.operatorToken ?? env.WILD_WORKSPACE_OPERATOR_TOKEN ?? null,
     workspaceId:
       overrides.workspaceId ||
       env.WILD_WORKSPACE_ID ||