@venturewild/workspace 0.2.0 → 0.2.2

package/server/src/doctor.mjs

@@ -21,7 +21,7 @@ import { resolveDaemonBinary } from './daemon-bin.mjs';
 import { checkPort } from './preview.mjs';
 import { loadAccount } from './account.mjs';
 import { serviceStatus } from './service.mjs';
-import { probeHealth } from './supervisor.mjs';
+import { probeHealth, probeHealthVersion } from './supervisor.mjs';
 import { listLogs, diagnosticsDir } from './logpaths.mjs';
 
 const STATUS_ICON = { ok: '✅', warn: '⚠️', fail: '❌', info: 'ℹ️' };
@@ -36,6 +36,27 @@ function nodeMajor(version = process.version) {
   return m ? Number(m[1]) : 0;
 }
 
+// RC3: probe the LIVE public tunnel end-to-end — out to Cloudflare, through the
+// relay, down the daemon's tunnel, back to this server. This is the check the old
+// `doctor` lacked: it only resolved the slug in the registry (claimed in the DB),
+// which stays green even when `<slug>.venturewild.llc` is 502. A 200 here proves
+// the whole chain works; a 5xx/timeout is the exact RC2 "linked but unreachable".
+async function probeTunnel(slug, fetchImpl, timeoutMs = 8000) {
+  const url = `https://${encodeURIComponent(slug)}.venturewild.llc/api/health`;
+  const ctrl = new AbortController();
+  const timer = setTimeout(() => ctrl.abort(), timeoutMs);
+  try {
+    const res = await fetchImpl(url, { signal: ctrl.signal, headers: { 'cache-control': 'no-cache' } });
+    let version = null;
+    try { version = (await res.json())?.version || null; } catch { /* non-JSON */ }
+    return { reachable: true, status: res.status, version, url };
+  } catch (e) {
+    return { reachable: false, error: String(e?.message || e), url };
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
 // Reach the bmo-sync registry: resolve the user's slug if linked, else /health.
 async function probeRegistry(config, fetchImpl) {
   const base = String(config.bmoSyncServerUrl || '').replace(/\/$/, '');
@@ -71,6 +92,7 @@ export async function runDoctor(opts = {}, deps = {}) {
     serviceStatus: deps.serviceStatus || serviceStatus,
     listLogs: deps.listLogs || listLogs,
     fetchImpl: deps.fetchImpl || ((...a) => globalThis.fetch(...a)),
+    probeRunningVersion: deps.probeRunningVersion || probeHealthVersion,
   };
   const checks = [];
   const add = (c) => checks.push(c);
@@ -155,6 +177,26 @@ export async function runDoctor(opts = {}, deps = {}) {
       : { status: 'ok', detail: 'free', hint: null };
   });
 
+  // 5b. Running server version vs installed (RC3). `doctor` runs as the
+  // freshly-invoked CLI, so APP_VERSION here == the version installed on disk.
+  // If a server is answering :port with a DIFFERENT version, it's running stale
+  // code from before the last upgrade — the "kept running 0.1.14 after 0.2.1"
+  // failure. Surface it so the fix (restart) is obvious instead of invisible.
+  await guarded('runningVersion', 'Running version', async () => {
+    const running = await d.probeRunningVersion(config.port);
+    if (!running) {
+      return { status: 'info', detail: `no server answering :${config.port} (not started yet)`, hint: null };
+    }
+    if (running === APP_VERSION) {
+      return { status: 'ok', detail: `v${running} (matches installed)`, hint: null };
+    }
+    return {
+      status: 'warn',
+      detail: `running v${running}, but v${APP_VERSION} is installed`,
+      hint: 'A workspace server is running older code than what is installed. Restart it (close the app — always-on restarts it clean) to finish the upgrade.',
+    };
+  });
+
   // 6. Account linked (slug)
   let account = null;
   await guarded('account', 'Workspace account linked', async () => {
@@ -181,6 +223,38 @@ export async function runDoctor(opts = {}, deps = {}) {
       : { status: 'warn', detail: `server returned HTTP ${r.status}`, hint: null };
   });
 
+  // 7b. Public URL reachable end-to-end (RC3). Only meaningful once linked. This
+  // is the half the old doctor was blind to — the registry check above can be
+  // green (slug claimed) while this is red (tunnel down). Together they tell the
+  // two apart: claimed-but-unreachable ⟹ the daemon link is broken (RC2), the
+  // operator/auto-relink path is the fix.
+  await guarded('tunnel', 'Public URL reachable', async () => {
+    const slug = account?.slug || config.account?.slug || null;
+    if (!slug) {
+      return { status: 'info', detail: 'not linked — no public URL yet', hint: null };
+    }
+    const r = await probeTunnel(slug, d.fetchImpl);
+    if (!r.reachable) {
+      return {
+        status: 'fail',
+        detail: `${r.url} unreachable: ${r.error}`,
+        hint: 'The public link is down. Restart sync (`wild-workspace daemon stop` then `wild-workspace`), or the operator `relink-account` fix.',
+      };
+    }
+    if (r.status >= 500) {
+      return {
+        status: 'fail',
+        detail: `${r.url} returned HTTP ${r.status} (tunnel down — slug claimed but not linked)`,
+        hint: 'The daemon is not linked to the relay. Restart sync (`wild-workspace daemon stop` then `wild-workspace`).',
+      };
+    }
+    if (r.status >= 400) {
+      // 401/403/404 = the chain works; auth/slug is the nuance, not a tunnel fault.
+      return { status: 'warn', detail: `reachable but HTTP ${r.status} (auth/slug check)`, hint: null };
+    }
+    return { status: 'ok', detail: `live (HTTP ${r.status}${r.version ? `, v${r.version}` : ''})`, hint: null };
+  });
+
   // 8. Always-on / autostart
   await guarded('service', 'Always-on (autostart)', async () => {
     const s = await d.serviceStatus({ port: config.port }, { probeImpl: (p) => probeHealth(p) });

package/server/src/index.mjs

@@ -35,10 +35,12 @@ import { InboxWatcher } from './inbox.mjs';
 import { ActivityBus } from './activity.mjs';
 import { loadIdentity, saveIdentity, markOnboarded, TONES } from './agent-identity.mjs';
 import { probeAgentReadiness } from './agent-readiness.mjs';
+import { AutoUpdater, npmInstall, recordUpdate, loadUpdateSettings, PACKAGE_NAME } from './auto-update.mjs';
 import { ClaudeLoginSession } from './agent-login.mjs';
 import { ErrorReporter } from './error-reporter.mjs';
 import { DaemonBridge } from './daemon.mjs';
 import { DaemonSupervisor } from './daemon-supervisor.mjs';
+import { TunnelWatchdog } from './tunnel-watchdog.mjs';
 import { SyncControl } from './sync.mjs';
 import { detectPreviewPorts, checkPort } from './preview.mjs';
 import { createBazaar } from './bazaar/core.mjs';
@@ -47,6 +49,7 @@ import { matchCandidates } from './bazaar/mock-tickup.mjs';
 import { servePreviewFile, confineBuildDir } from './bazaar/preview-server.mjs';
 import { TURN_SYSTEM_PROMPT, writeTurnMcpConfig } from './turn-mcp.mjs';
 import { loadAccount } from './account.mjs';
+import { getOperatorToken } from './operator.mjs';
 import { runDoctor } from './doctor.mjs';
 import { appendLine, tailFile, logFile, TAILABLE, globalDir } from './logpaths.mjs';
 import { SessionReporter } from './session-reporter.mjs';
@@ -172,6 +175,29 @@ export async function createServer(overrides = {}) {
           .catch((e) => ({ started: false, error: String(e?.message || e) }))
       : Promise.resolve({ started: false, skipped: true });
 
+  // RC2 tunnel self-heal: when this install is slug-linked (so it's SUPPOSED to be
+  // reachable at <slug>.venturewild.llc), watch the public URL end-to-end and
+  // relink the daemon if it goes dead while we're locally healthy. Off without a
+  // daemon supervisor, without a slug, or under tests. `overrides.tunnelWatchdog`
+  // is a test seam (false disables; an object injects options).
+  const relinkDaemon = async () => {
+    if (!daemonSupervisor) return;
+    await daemonSupervisor.stop().catch(() => {});
+    await daemonSupervisor.ensureRunning().catch(() => {});
+  };
+  const tunnelWatchdog =
+    overrides.tunnelWatchdog === false ||
+    !daemonSupervisor ||
+    !config.account?.slug ||
+    !config.daemonAutostart
+      ? null
+      : new TunnelWatchdog({
+          publicBaseUrl: `https://${config.account.slug}.venturewild.llc`,
+          relink: relinkDaemon,
+          log: (m) => log('[tunnel]', m),
+          ...(typeof overrides.tunnelWatchdog === 'object' ? overrides.tunnelWatchdog : {}),
+        }).start();
+
   // Control plane for bmo-sync folder sharing (pair / detach / invite).
   // `overrides.syncControl` is a test seam.
   const syncControl =
@@ -488,6 +514,14 @@ export async function createServer(overrides = {}) {
   const app = new Hono();
 
   // --- auth helpers ---------------------------------------------------------
+  // RC1 hot-reload: resolve the operator token LIVE per request. An explicit
+  // override/env token (tests, pinned deployments) stays authoritative; otherwise
+  // the token file is re-read (TTL-cached) so `operator enable`/`disable` take
+  // effect with no server restart — the literal 401 from the first external
+  // install. `overrides.operatorDataDir` is unused; the file lives in dataDir.
+  const liveOperatorToken = () =>
+    config.operatorTokenExplicit ?? getOperatorToken(config.dataDir);
+
   // Classify one raw token into a role. Shared by the Authorization header, the
   // HttpOnly auth cookie, and the `?t=` query so all three stay consistent.
   // `allowOperator` is true ONLY for the header path — the operator (support)
@@ -498,7 +532,8 @@ export async function createServer(overrides = {}) {
     if (token === config.partnerToken) {
       return { role: ROLES.PARTNER, sub: 'partner', source };
     }
-    if (allowOperator && config.operatorToken && token === config.operatorToken) {
+    const opToken = allowOperator ? liveOperatorToken() : null;
+    if (opToken && token === opToken) {
       return { role: ROLES.OPERATOR, sub: 'operator', source: source || 'operator-token' };
     }
     const payload = await verifyShareToken(token, config.shareSecret);
@@ -985,6 +1020,22 @@ export async function createServer(overrides = {}) {
     return c.json({ agent: agentTag(activeAgent), ...verdict });
   });
 
+  // Auto-update status (Phase 2) — what's running, the channel, on/off, and the
+  // last update outcome (the "updated to vX" note the UI can surface). Read-only;
+  // the toggle/apply levers are the CLI + the operator channel.
+  app.get('/api/update/status', (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    const s = loadUpdateSettings(globalDir());
+    return c.json({
+      current: APP_VERSION,
+      enabled: s.enabled,
+      channel: s.channel,
+      lastCheckAt: s.lastCheckAt || null,
+      lastUpdate: s.lastUpdate || null,
+    });
+  });
+
   // In-app "Sign in to Claude" — drives `claude auth login` in a real PTY so the
   // browser OAuth callback auto-completes and the user never touches a terminal.
   // (See agent-login.mjs.) Claude opens the OAuth URL in the user's browser itself
@@ -1220,7 +1271,9 @@ export async function createServer(overrides = {}) {
     spawn,
     ...(overrides.operatorDeps || {}),
   };
-  const operatorEnabled = () => Boolean(config.operatorToken);
+  // Live so `operator enable` (run in a separate CLI process) lights the channel
+  // up without a server restart, and `operator disable` takes it dark (RC1).
+  const operatorEnabled = () => Boolean(liveOperatorToken());
   function auditOperator(c, action, detail) {
     const s = c.get('session') || {};
     appendLine('operator', `${action} by=${s.sub || 'operator'} src=${s.source || '-'} ${detail || ''}`.trim());
@@ -1267,6 +1320,24 @@ export async function createServer(overrides = {}) {
       child?.on?.('exit', (code) => appendLine('operator', `reinstall-daemon exited code=${code}`));
       return { started: true, pid: child?.pid || null, command: `${cmd} i -g @venturewild/workspace` };
     },
+    // Phase 2: check the user's channel and install a newer version if one exists.
+    // The always-on supervisor's version-drift auto-restart (RC1b) then loads it;
+    // the supervisor also owns autonomous health-gated rollback. This is the
+    // remote-support trigger for the same flow (Phase 3 capability).
+    'update-now': async () => {
+      const gdir = globalDir();
+      const check = await (operatorDeps.checkUpdate
+        ? operatorDeps.checkUpdate()
+        : new AutoUpdater({ globalDir: gdir }).check());
+      if (!check.latest) return { ok: false, reason: 'registry-unreachable', current: check.current };
+      if (!check.available) return { ok: true, updated: false, current: check.current, latest: check.latest };
+      appendLine('operator', `update-now installing ${check.current} → ${check.latest} (${check.channel})`);
+      const res = await (operatorDeps.npmInstall || npmInstall)(`${PACKAGE_NAME}@${check.latest}`);
+      const ok = res.code === 0;
+      if (ok) recordUpdate(gdir, { from: check.current, to: check.latest, at: Date.now(), status: 'installed' });
+      appendLine('operator', `update-now ${ok ? 'installed' : `failed code=${res.code}`}`);
+      return { ok, updated: ok, from: check.current, to: check.latest, code: res.code };
+    },
   };
 
   app.get('/api/operator/diag', async (c) => {
@@ -1887,6 +1958,7 @@ export async function createServer(overrides = {}) {
     daemonBridge,
     daemonSupervisor,
     daemonReady,
+    tunnelWatchdog,
     syncControl,
     sessionReporter,
     detectedAgents,
@@ -1898,6 +1970,7 @@ export async function createServer(overrides = {}) {
       try { transcriptRecorder.stop(); } catch {}
       try { inboxWatcher.stop(); } catch {}
       try { daemonBridge?.stop(); } catch {}
+      try { tunnelWatchdog?.stop(); } catch {}
       // The daemon is deliberately NOT stopped here — it is detached so sync
       // keeps running after wild-workspace closes. `wild-workspace daemon
       // stop` is the explicit off-switch.

package/server/src/operator.mjs

@@ -29,6 +29,33 @@ export function loadOperatorToken(dataDir) {
   }
 }
 
+// RC1 hot-reload: read the operator token LIVE (with a tiny TTL cache) instead of
+// the value the server snapshotted at boot. Today `operator enable` writes the
+// token to disk but a long-running server keeps serving its cached "disabled"
+// state, so the channel 401s until a manual restart (the exact bug from the first
+// external install). A short TTL keeps this off the hot auth path — every request
+// reads from cache, and `enable`/`disable` take effect within `ttlMs`.
+//
+// The cache is keyed by dataDir so two servers (tests, multiple installs) in one
+// process don't read each other's tokens. `now` is injectable for tests.
+const _tokenCache = new Map(); // dataDir -> { token, at }
+export function getOperatorToken(dataDir, { ttlMs = 2000, now = Date.now } = {}) {
+  const t = now();
+  const hit = _tokenCache.get(dataDir);
+  if (hit && t - hit.at < ttlMs) return hit.token;
+  const token = loadOperatorToken(dataDir);
+  _tokenCache.set(dataDir, { token, at: t });
+  return token;
+}
+
+// Drop the cached token for a dataDir (or all of them). `enable`/`disable` run in
+// a separate CLI process from the server, so they don't need this — it exists so
+// in-process callers (and tests) can force a re-read without waiting out the TTL.
+export function invalidateOperatorTokenCache(dataDir) {
+  if (dataDir === undefined) _tokenCache.clear();
+  else _tokenCache.delete(dataDir);
+}
+
 // Turn the channel on. Idempotent by default — returns the existing token if one
 // is already set (so a re-run doesn't invalidate the code the user already
 // shared). Pass { rotate:true } to force a fresh token. Returns the token, or

package/server/src/owner-browser.mjs

@@ -0,0 +1,84 @@
+// First-run browser orchestration for the LOCAL owner (B1). Extracted from the
+// CLI so it's importable + unit-testable without the bin's shebang. The CLI
+// (bin/wild-workspace.mjs) imports openOwnerBrowser; tests import the helpers.
+
+// The URL to open for the LOCAL owner. A slug-linked install runs in public
+// mode (the server denies anon — C1), so the owner must authenticate: append
+// the partner token, which the SPA immediately exchanges for an HttpOnly cookie
+// and strips from the address bar (S1). A localhost-only install needs no token.
+// The token is only ever placed in the URL we hand the browser — never printed.
+export function localBrowserUrl(config) {
+  const host = config.host === '0.0.0.0' ? '127.0.0.1' : config.host;
+  const base = `http://${host}:${config.port}`;
+  return config.publicMode ? `${base}/?t=${encodeURIComponent(config.partnerToken)}` : base;
+}
+
+// Ask the running local server (over genuine loopback) for a one-time sign-in
+// link to the PUBLIC url. Returns the URL or null (no slug / older server).
+export async function fetchPublicBootstrapUrl(config) {
+  const host = config.host === '0.0.0.0' ? '127.0.0.1' : config.host;
+  try {
+    const ac = new AbortController();
+    const t = setTimeout(() => ac.abort(), 4000);
+    const r = await fetch(`http://${host}:${config.port}/api/auth/bootstrap`, {
+      method: 'POST',
+      signal: ac.signal,
+    });
+    clearTimeout(t);
+    if (!r.ok) return null;
+    const body = await r.json().catch(() => ({}));
+    return typeof body.url === 'string' ? body.url : null;
+  } catch {
+    return null;
+  }
+}
+
+// Poll the public url's /api/health until the tunnel forwards (200) or we give
+// up — so we never open the owner onto a 502 "warming up" page.
+export async function publicTunnelReady(shareBaseUrl, { tries = 6, gapMs = 1300 } = {}) {
+  const base = String(shareBaseUrl || '').replace(/\/$/, '');
+  if (!/^https?:\/\//.test(base)) return false;
+  for (let i = 0; i < tries; i += 1) {
+    try {
+      const ac = new AbortController();
+      const t = setTimeout(() => ac.abort(), 2500);
+      const r = await fetch(`${base}/api/health`, { signal: ac.signal });
+      clearTimeout(t);
+      if (r.ok) return true;
+    } catch { /* not up yet */ }
+    if (i < tries - 1) await new Promise((res) => setTimeout(res, gapMs));
+  }
+  return false;
+}
+
+// Open the owner's browser the friendliest way for THIS install:
+//  - slug-linked + public: land them signed-in on <slug>.venturewild.llc (their
+//    real, bookmarkable home) via a one-time bootstrap link, once the tunnel is
+//    confirmed up. If it isn't ready yet, fall back to localhost (always works
+//    locally) and tell them their public url is warming up.
+//  - localhost-only: just open localhost.
+// Tokens only ever reach the browser via open() — never printed to stdout (B1/S1).
+// `opts.open` / `opts.ready` are injectable seams for tests; in production the
+// opener is the dynamically-imported `open` package and `ready` uses the defaults.
+export async function openOwnerBrowser(config, opts = {}) {
+  let open = opts.open;
+  if (!open) {
+    try { open = (await import('open')).default; } catch { return; }
+  }
+  const slugLinked = config.publicMode && config.account?.slug && config.shareBaseUrl;
+  if (slugLinked) {
+    const link = await fetchPublicBootstrapUrl(config);
+    if (link && (await publicTunnelReady(config.shareBaseUrl, opts.ready))) {
+      console.log(`  opening your workspace at ${config.shareBaseUrl} …`);
+      try { await open(link); } catch { /* best-effort */ }
+      return 'public';
+    }
+    // Tunnel not up yet (or older server) — open locally so first run is never a
+    // dead page; the public url comes alive on its own as the daemon links.
+    try { await open(localBrowserUrl(config)); } catch { /* best-effort */ }
+    console.log(`  your workspace will be live at ${config.shareBaseUrl} shortly (warming up the tunnel)…`);
+    return 'fallback-local';
+  }
+  try { await open(localBrowserUrl(config)); } catch { /* best-effort */ }
+  return 'local';
+}

package/server/src/reset.mjs

@@ -0,0 +1,78 @@
+// `wild-workspace reset` — take an install back to the beginning so it can be
+// re-onboarded clean. UNLINKS the account (slug/email/computer), RESETS
+// onboarding, and FLUSHES local config/state (device secrets, token registry,
+// chat thread, canvas + bazaar local state).
+//
+// It deliberately NEVER touches the user's workspace files (CLAUDE.md rule #1),
+// nor the always-on registration / consent choices — those are install plumbing,
+// not "the beginning". See RESET_KEEPS for the honest list of what survives.
+
+import fs from 'node:fs';
+import path from 'node:path';
+
+// What survives a reset — documented so the command stays honest about scope.
+export const RESET_KEEPS = [
+  "the user's workspace files (everything outside .wild-workspace) — never touched",
+  'service.json — always-on registration stays armed',
+  'observability.json — your consent choice is preserved',
+  'operator.json — the support-channel token',
+  'logs/ + diagnostics/ — kept for debugging',
+];
+
+// Build the list of targets to remove. `dataDirs` are the (possibly several)
+// cwd-keyed `.wild-workspace` dirs that hold the account/onboarding/chat; the
+// stable `globalDir` (~/.wild-workspace) holds device secrets + canvas/bazaar
+// state. Each target is annotated with whether it currently exists.
+export function planReset({ dataDirs = [], globalDir, includeMarketplace = true }) {
+  const targets = [];
+  const seen = new Set();
+  const add = (root, name, kind) => {
+    if (!root) return;
+    const p = path.join(root, name);
+    if (seen.has(p)) return;
+    seen.add(p);
+    targets.push({ path: p, kind, name });
+  };
+  // Per-workspace data dirs: the account binding + onboarding + chat thread,
+  // plus legacy secret/registry locations.
+  for (const dir of dataDirs) {
+    add(dir, 'account.json', 'file'); // unlink slug / email / this computer
+    add(dir, 'agent-identity.json', 'file'); // re-trigger onboarding
+    add(dir, 'chat-session.json', 'file'); // fresh chat thread
+    add(dir, 'secrets.json', 'file'); // legacy location (now in globalDir)
+    add(dir, 'revoked.json', 'file'); // legacy location
+  }
+  // Stable global dir: device secrets (regenerated fresh on next start) + the
+  // token registry + local UI/marketplace state.
+  add(globalDir, 'secrets.json', 'file');
+  add(globalDir, 'revoked.json', 'file');
+  if (includeMarketplace) {
+    add(globalDir, 'canvas', 'dir'); // agent-made blocks + theme.json
+    add(globalDir, 'bazaar', 'dir'); // local shelf + ledger
+  }
+  for (const t of targets) {
+    try {
+      t.exists = fs.existsSync(t.path);
+    } catch {
+      t.exists = false;
+    }
+  }
+  return targets;
+}
+
+// Remove every target that exists. Returns what was removed vs. what failed.
+// Idempotent: a missing target is simply skipped.
+export function applyReset(targets) {
+  const removed = [];
+  const failed = [];
+  for (const t of targets) {
+    if (!t.exists) continue;
+    try {
+      fs.rmSync(t.path, { recursive: t.kind === 'dir', force: true });
+      removed.push(t.path);
+    } catch (e) {
+      failed.push({ path: t.path, error: e?.message || String(e) });
+    }
+  }
+  return { removed, failed };
+}

package/server/src/supervisor.mjs

@@ -41,6 +41,47 @@ export function probeHealth(port, timeoutMs = 2500) {
   });
 }
 
+/**
+ * Ask the running server its version via /api/health. Returns the version string
+ * or null (server down / no version field / parse error). Never throws. Used by
+ * the version-drift check (RC1) — a stale server keeps running its OLD code after
+ * an upgrade, so we compare what's RUNNING to what's INSTALLED on disk.
+ */
+export function probeHealthVersion(port, timeoutMs = 2500) {
+  return new Promise((resolve) => {
+    const req = http.get(
+      { host: '127.0.0.1', port, path: '/api/health', timeout: timeoutMs },
+      (res) => {
+        let body = '';
+        res.on('data', (d) => { body += d; if (body.length > 4096) req.destroy(); });
+        res.on('end', () => {
+          try { resolve(JSON.parse(body).version || null); } catch { resolve(null); }
+        });
+      },
+    );
+    req.on('error', () => resolve(null));
+    req.on('timeout', () => { req.destroy(); resolve(null); });
+  });
+}
+
+/**
+ * The version installed on disk RIGHT NOW — read fresh from the package.json that
+ * ships next to this file, NOT the in-memory APP_VERSION constant. The supervisor
+ * is long-lived: after `npm i -g` (or the operator `reinstall-daemon`) swaps the
+ * package, the supervisor's own constant is stale too, so only a fresh disk read
+ * sees the new version. Respawning the server child reloads index.mjs from this
+ * same path, so the restart actually picks up the new code. Returns null on error.
+ */
+export function installedVersion(entry = DEFAULT_SERVER_ENTRY) {
+  try {
+    // index.mjs lives at <pkg>/server/src/index.mjs → package.json is ../../.
+    const pkg = path.resolve(path.dirname(entry), '..', '..', 'package.json');
+    return JSON.parse(fs.readFileSync(pkg, 'utf8')).version || null;
+  } catch {
+    return null;
+  }
+}
+
 export class WorkspaceSupervisor {
   constructor({
     serverEntry = DEFAULT_SERVER_ENTRY,
@@ -58,12 +99,32 @@ export class WorkspaceSupervisor {
     env = process.env,
     crashLoopThreshold = 3,
     diagnosticsImpl = null,
+    // RC1 version-drift auto-restart: when the RUNNING server reports an older
+    // version than what's INSTALLED on disk, restart it so it picks up the new
+    // code. On by default; seams injected for tests. WILD_WORKSPACE_NO_AUTORESTART=1
+    // disables it (e.g. a developer running an intentionally-older server).
+    autoRestartOnVersionDrift = env.WILD_WORKSPACE_NO_AUTORESTART !== '1',
+    versionImpl = probeHealthVersion,
+    installedVersionImpl = () => installedVersion(serverEntry),
+    // Phase 2 auto-update (Pillar B): the always-on supervisor self-updates the
+    // whole stack on the user's channel, with health-gated rollback. On by
+    // default; the env kill switch + the persisted off switch both disable it.
+    // Only wired up in start() (not in the unit-test path, which calls tick()
+    // directly) — see start(). updatePollMs is the *wake* cadence; the actual
+    // check interval lives inside AutoUpdater (6h) and self-rate-limits.
+    autoUpdate = env.WILD_WORKSPACE_NO_AUTOUPDATE !== '1',
+    updatePollMs = 60 * 60 * 1000, // wake hourly; AutoUpdater gates real checks
+    autoUpdaterFactory = null, //     test seam: (supervisor) => AutoUpdater-like
   } = {}) {
     Object.assign(this, {
       serverEntry, workspaceDir, port, globalDir, node, pollMs,
       backoffStartMs, backoffMaxMs, probeTimeoutMs, spawnImpl, probeImpl, nowImpl, env,
       crashLoopThreshold, diagnosticsImpl,
+      autoRestartOnVersionDrift, versionImpl, installedVersionImpl,
+      autoUpdate, updatePollMs, autoUpdaterFactory,
     });
+    this.autoUpdater = null;
+    this.updateTimer = null;
     this.logFile = path.join(globalDir, 'supervisor.log');
     this.serverLogFile = path.join(globalDir, 'server.out.log');
     this.lockFile = path.join(globalDir, 'supervisor.lock');
@@ -135,6 +196,28 @@ export class WorkspaceSupervisor {
       this.backoff = this.backoffStartMs; // healthy → reset backoff
       this.spawnCount = 0; //              healthy → not a crash loop
       this.pushedThisEpisode = false;
+      // RC1 version drift: a healthy-but-STALE server (running older code than
+      // what's installed) should be restarted so the upgrade actually lands.
+      // Only when WE own the child — we restart by killing it and letting the
+      // next tick respawn (which reloads index.mjs from disk). A server started
+      // by someone else (foreground `wild-workspace`) we leave alone; we have no
+      // handle on it. The restarted server reports the installed version, so the
+      // drift clears and this won't loop.
+      if (this.autoRestartOnVersionDrift && this.child) {
+        try {
+          const running = await this.versionImpl(this.port, this.probeTimeoutMs);
+          const installed = this.installedVersionImpl();
+          if (running && installed && running !== installed) {
+            this.log(`version drift: running=${running} installed=${installed} — restarting server`);
+            try { this.child.kill(); } catch { /* exit handler clears child */ }
+            this.child = null;
+            this.backoff = this.backoffStartMs; // upgrade is intentional, not a crash
+            return 'version-drift-restart';
+          }
+        } catch (e) {
+          this.log(`version-drift check error: ${e?.message || e}`);
+        }
+      }
       return 'healthy';
     }
     if (this.child) return 'booting';                                  // spawned, still coming up
@@ -198,6 +281,47 @@ export class WorkspaceSupervisor {
     }
   }
 
+  /**
+   * Restart the supervised server child so freshly installed code is loaded.
+   * Kills it and lets the next tick respawn (which reloads index.mjs from disk) —
+   * the same mechanism as the version-drift restart, exposed for the AutoUpdater.
+   * No-op (returns false) when we don't own a child (foreground server).
+   */
+  restartChild() {
+    if (!this.child) return false;
+    this.log('restartChild: killing server to load new code');
+    try { this.child.kill(); } catch { /* exit handler clears child */ }
+    this.child = null;
+    this.backoff = this.backoffStartMs; // an intentional restart, not a crash
+    return true;
+  }
+
+  /** Build the AutoUpdater bound to this supervisor. Separated for the test seam. */
+  async buildAutoUpdater() {
+    if (this.autoUpdaterFactory) return this.autoUpdaterFactory(this);
+    // Lazy import keeps the unit-test path (which never calls start()) free of the
+    // auto-update module + its registry/npm seams.
+    const { AutoUpdater } = await import('./auto-update.mjs');
+    return new AutoUpdater({
+      globalDir: this.globalDir,
+      port: this.port,
+      installedVersionImpl: this.installedVersionImpl,
+      healthVersionImpl: (port) => this.versionImpl(port, this.probeTimeoutMs),
+      restartImpl: async () => { this.restartChild(); },
+      nowImpl: this.nowImpl,
+      env: this.env,
+      logImpl: (m) => this.log(m),
+      onUpdate: (rec) => this.log(`auto-update result: ${rec.from || '?'}→${rec.to} ${rec.status}`),
+    });
+  }
+
+  runUpdateTick() {
+    if (!this.autoUpdater) return;
+    this.autoUpdater.tick()
+      .then((r) => { if (r && !['not-due', 'disabled', 'up-to-date', 'busy'].includes(r)) this.log(`auto-update tick: ${r}`); })
+      .catch((e) => this.log(`auto-update error: ${e?.message || e}`));
+  }
+
   /** Acquire the lock and start the supervision loop. Idempotent across processes. */
   start() {
     if (!this.acquireLock()) return { started: false, reason: 'already-running' };
@@ -207,11 +331,24 @@ export class WorkspaceSupervisor {
     this.log(`supervisor start pid=${process.pid} watching http://127.0.0.1:${this.port}/api/health (workspace=${this.workspaceDir})`);
     this.timer = setInterval(() => { this.tick().catch((e) => this.log(`tick error: ${e?.message || e}`)); }, this.pollMs);
     this.tick().catch((e) => this.log(`tick error: ${e?.message || e}`));
+
+    // Phase 2 auto-update: wake on a slow timer; the first check fires shortly
+    // after start so the server has time to come up (verify reads its /health).
+    if (this.autoUpdate && this.env.VITEST !== 'true' && this.env.NODE_ENV !== 'test') {
+      this.buildAutoUpdater().then((u) => {
+        this.autoUpdater = u;
+        this.updateTimer = setInterval(() => this.runUpdateTick(), this.updatePollMs);
+        if (this.updateTimer.unref) this.updateTimer.unref();
+        const kick = setTimeout(() => this.runUpdateTick(), 60_000);
+        if (kick.unref) kick.unref();
+      }).catch((e) => this.log(`auto-update init error: ${e?.message || e}`));
+    }
     return { started: true };
   }
 
   stop() {
     if (this.timer) { clearInterval(this.timer); this.timer = null; }
+    if (this.updateTimer) { clearInterval(this.updateTimer); this.updateTimer = null; }
     this.releaseLock();
   }
 }