@venturewild/workspace 0.2.1 → 0.2.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@venturewild/workspace",
-  "version": "0.2.1",
+  "version": "0.2.3",
   "description": "Claude Code Web — Replit/Lovable-style chat-first browser UI that wraps the AI agent already installed on your machine.",
   "license": "MIT",
   "bin": {

package/server/bin/wild-workspace.mjs

@@ -23,6 +23,10 @@ import { appendLine, listLogs, tailFile } from '../src/logpaths.mjs';
 import { runDoctor, renderDoctor, writeDoctorBundle } from '../src/doctor.mjs';
 import { enableOperator, disableOperator, operatorStatus } from '../src/operator.mjs';
 import { loadObservabilityConsent, setObservabilityConsent } from '../src/observability.mjs';
+import {
+  AutoUpdater, PACKAGE_NAME, npmInstall, recordUpdate,
+  loadUpdateSettings, setUpdateEnabled, setUpdateChannel,
+} from '../src/auto-update.mjs';
 import { openOwnerBrowser } from '../src/owner-browser.mjs';
 import { planReset, applyReset, RESET_KEEPS } from '../src/reset.mjs';
 
@@ -56,6 +60,9 @@ Usage:
   wild-workspace operator disable revoke the support token
   wild-workspace operator status  is the support channel on?
   wild-workspace observability [on|off|status]   share session + install health so we can help (default on; never chat content)
+  wild-workspace update [apply]   check for / install a newer version (auto by default)
+  wild-workspace update on|off    toggle background auto-update
+  wild-workspace update channel stable|beta   choose the update channel
   wild-workspace service install  keep your workspace always-on (starts at login, no admin)
   wild-workspace service uninstall   turn always-on off
   wild-workspace service status   show always-on status (installed? supervisor? server?)
@@ -599,6 +606,67 @@ async function runObservabilityCommand(action = 'status', opts = {}) {
   return;
 }
 
+// `wild-workspace update [apply|on|off|channel <stable|beta>]` — Phase 2
+// auto-update (docs/remote-support-and-self-healing-design.md). With no
+// sub-command it checks the channel for a newer release; `apply` installs it now;
+// `on`/`off` toggle the default-on background updater; `channel` switches
+// stable/beta. The always-on supervisor does this automatically — this is the
+// manual lever + the off switch.
+async function runUpdateCommand(opts) {
+  const sub = opts.positional[1];
+  const gdir = globalDir();
+
+  if (sub === 'on' || sub === 'off') {
+    const rec = setUpdateEnabled(gdir, sub === 'on');
+    console.log(
+      rec.enabled
+        ? '✓ auto-update ON — wild-workspace keeps itself up to date in the background.'
+        : '✓ auto-update OFF — update manually with `wild-workspace update apply`.',
+    );
+    console.log(`  channel: ${rec.channel}`);
+    return;
+  }
+  if (sub === 'channel') {
+    const chan = opts.positional[2];
+    if (chan !== 'stable' && chan !== 'beta') {
+      console.log('usage: wild-workspace update channel stable|beta');
+      return;
+    }
+    console.log(`✓ update channel set to ${setUpdateChannel(gdir, chan).channel}.`);
+    return;
+  }
+
+  const settings = loadUpdateSettings(gdir);
+  const c = await new AutoUpdater({ globalDir: gdir }).check();
+  console.log(`wild-workspace ${c.current}  (channel: ${c.channel}, auto-update: ${settings.enabled ? 'on' : 'off'})`);
+  if (!c.latest) {
+    console.log('  could not reach the npm registry to check for updates.');
+    process.exitCode = 1;
+    return;
+  }
+  if (!c.available) {
+    console.log(`  up to date — ${c.latest} is the latest on ${c.channel}.`);
+    return;
+  }
+  console.log(`  update available: ${c.current} → ${c.latest}`);
+  if (sub !== 'apply') {
+    console.log('  run `wild-workspace update apply` to install it now.');
+    return;
+  }
+  console.log(`  installing ${c.latest}…`);
+  const res = await npmInstall(`${PACKAGE_NAME}@${c.latest}`);
+  if (res.code === 0) {
+    recordUpdate(gdir, { from: c.current, to: c.latest, at: Date.now(), status: 'installed' });
+    console.log(`  ✓ installed ${c.latest}.`);
+    console.log('  The always-on supervisor will restart into the new version shortly,');
+    console.log('  or restart `wild-workspace` yourself to use it now.');
+  } else {
+    console.log(`  ✗ install failed (code ${res.code}).`);
+    if (res.output) console.log('  ' + res.output.split('\n').filter(Boolean).slice(-3).join('\n  '));
+    process.exitCode = 1;
+  }
+}
+
 // `wild-workspace operator [enable|disable|status]` — the consented support
 // channel (docs/SECURITY.md). OFF by default; `enable` mints a token to hand to
 // the wild-workspace team so they can diagnose + run a fixed set of safe fixes.
@@ -734,6 +802,9 @@ async function main() {
   if (opts.positional[0] === 'logs') {
     return runLogsCommand(opts);
   }
+  if (opts.positional[0] === 'update') {
+    return runUpdateCommand(opts);
+  }
   if (opts.positional[0] === 'operator') {
     return runOperatorCommand(opts.positional[1], opts);
   }

package/server/src/auto-update.mjs

@@ -0,0 +1,277 @@
+// AutoUpdater — Phase 2 (Pillar B) of the self-healing epic
+// (docs/remote-support-and-self-healing-design.md). Kills the manual `npm i -g`
+// re-install treadmill that turned the first external install into a copy-paste
+// marathon: the always-on supervisor periodically checks the published version on
+// the user's channel, and on a new release it installs it, restarts the supervised
+// server (reusing the version-drift restart RC1b already ships), health-checks the
+// result, and ROLLS BACK to the pinned previous version if the new one doesn't come
+// up healthy.
+//
+// Tuan's locked decisions (design doc Part 6): auto-update is DEFAULT-ON (the
+// OneDrive bar — it just updates itself) with a visible "updated to vX" note + an
+// off switch; channels are `stable` (default) and `beta` (opt-in).
+//
+// Like observability.mjs/operator.mjs, settings live in their own file in the
+// machine-global dir (~/.wild-workspace, NEVER the synced workspace — locked
+// principle #1) so they survive the supervisor relaunching from a different cwd.
+//
+// Every external touch-point (npm install, registry fetch, health probe, restart,
+// clock, sleep) is an injected seam so the suite never spawns a process, hits the
+// network, or actually waits.
+
+import { spawn } from 'node:child_process';
+import fs from 'node:fs';
+import path from 'node:path';
+import { globalDir as defaultGlobalDir } from './logpaths.mjs';
+import { installedVersion, probeHealthVersion } from './supervisor.mjs';
+import { ensureToolPath } from './agent.mjs';
+
+export const PACKAGE_NAME = '@venturewild/workspace';
+const DEFAULT_CHECK_INTERVAL_MS = 6 * 60 * 60 * 1000; // 6h — releases are not frequent
+
+// --- persisted settings (~/.wild-workspace/update.json) ----------------------
+
+function updateFile(dir) { return path.join(dir, 'update.json'); }
+
+/**
+ * DEFAULT-ON: an absent file means "auto-update enabled, stable channel" — the
+ * disclosure rides onboarding + the visible update note, mirroring observability.
+ */
+export function loadUpdateSettings(dir = defaultGlobalDir()) {
+  try {
+    const p = JSON.parse(fs.readFileSync(updateFile(dir), 'utf8'));
+    return {
+      enabled: p.enabled !== false,
+      channel: p.channel === 'beta' ? 'beta' : 'stable',
+      lastCheckAt: Number(p.lastCheckAt) || 0,
+      lastUpdate: p.lastUpdate || null, // { from, to, at, status }
+    };
+  } catch {
+    return { enabled: true, channel: 'stable', lastCheckAt: 0, lastUpdate: null };
+  }
+}
+
+function writeSettings(dir, rec) {
+  try {
+    fs.mkdirSync(dir, { recursive: true });
+    fs.writeFileSync(updateFile(dir), JSON.stringify(rec, null, 2), { mode: 0o600 });
+  } catch {
+    /* read-only fs — fall back to in-memory for this run */
+  }
+  return rec;
+}
+
+export function setUpdateEnabled(dir, enabled) {
+  return writeSettings(dir, { ...loadUpdateSettings(dir), enabled: Boolean(enabled) });
+}
+export function setUpdateChannel(dir, channel) {
+  return writeSettings(dir, { ...loadUpdateSettings(dir), channel: channel === 'beta' ? 'beta' : 'stable' });
+}
+export function touchLastCheck(dir, at) {
+  return writeSettings(dir, { ...loadUpdateSettings(dir), lastCheckAt: at });
+}
+/** Record the outcome of an update attempt; returns the stored record. */
+export function recordUpdate(dir, rec) {
+  return writeSettings(dir, { ...loadUpdateSettings(dir), lastUpdate: rec }).lastUpdate;
+}
+
+// --- semver compare (no dep) -------------------------------------------------
+
+function parseVersion(v) {
+  const [core, pre = ''] = String(v).replace(/^v/, '').split('-');
+  const nums = core.split('.').map((n) => parseInt(n, 10) || 0);
+  while (nums.length < 3) nums.push(0);
+  return { nums, pre };
+}
+
+/** True iff version `a` is strictly newer than `b` (good enough for dist-tags). */
+export function isNewer(a, b) {
+  if (!a || !b) return false;
+  const pa = parseVersion(a), pb = parseVersion(b);
+  for (let i = 0; i < 3; i++) {
+    if (pa.nums[i] !== pb.nums[i]) return pa.nums[i] > pb.nums[i];
+  }
+  // Equal core: a release (no prerelease) outranks a prerelease; else lexical.
+  if (pa.pre && !pb.pre) return false;
+  if (!pa.pre && pb.pre) return true;
+  if (pa.pre && pb.pre) return pa.pre > pb.pre;
+  return false; // identical
+}
+
+// --- registry + npm primitives -----------------------------------------------
+
+/**
+ * The version published on `channel`'s dist-tag (stable→latest, beta→beta), or
+ * null on any failure. Uses the abbreviated registry document (smaller payload).
+ */
+export async function fetchLatestVersion(channel, {
+  fetchImpl = fetch, packageName = PACKAGE_NAME, timeoutMs = 8000,
+} = {}) {
+  const tag = channel === 'beta' ? 'beta' : 'latest';
+  const ctrl = new AbortController();
+  const t = setTimeout(() => ctrl.abort(), timeoutMs);
+  try {
+    const res = await fetchImpl(`https://registry.npmjs.org/${packageName.replace('/', '%2f')}`, {
+      signal: ctrl.signal,
+      headers: { accept: 'application/vnd.npm.install-v1+json' },
+    });
+    if (!res || !res.ok) return null;
+    const body = await res.json();
+    return body?.['dist-tags']?.[tag] || null;
+  } catch {
+    return null;
+  } finally {
+    clearTimeout(t);
+  }
+}
+
+/** Run `npm i -g <spec>`. Resolves {code, output, timedOut?, error?}; never rejects. */
+export function npmInstall(spec, {
+  spawnImpl = spawn, timeoutMs = 180000, ensurePathImpl = ensureToolPath, env = process.env,
+} = {}) {
+  return new Promise((resolve) => {
+    const cmd = process.platform === 'win32' ? 'npm.cmd' : 'npm';
+    // The always-on supervisor (our caller in the field) runs under launchd/GUI,
+    // which inherits a MINIMAL PATH omitting ~/.npm-global, /usr/local/bin,
+    // Homebrew, nvm — so a bare `npm` spawn would ENOENT (the 0.1.8 `claude`
+    // bug class). Augment PATH the same way agent.mjs does before spawning. We
+    // copy env so we never mutate the caller's process.env.
+    const childEnv = { ...env };
+    try { ensurePathImpl(childEnv); } catch { /* best-effort — fall back to inherited PATH */ }
+    let child;
+    try {
+      child = spawnImpl(cmd, ['i', '-g', spec], { windowsHide: true, env: childEnv });
+    } catch (e) {
+      return resolve({ code: -1, error: e?.message || String(e), output: '' });
+    }
+    let out = '';
+    const cap = (d) => { out += String(d); if (out.length > 20000) out = out.slice(-20000); };
+    child.stdout?.on?.('data', cap);
+    child.stderr?.on?.('data', cap);
+    const timer = setTimeout(() => { try { child.kill?.(); } catch { /* gone */ } resolve({ code: -1, timedOut: true, output: out }); }, timeoutMs);
+    child.on?.('exit', (code) => { clearTimeout(timer); resolve({ code, output: out }); });
+    child.on?.('error', (e) => { clearTimeout(timer); resolve({ code: -1, error: e?.message || String(e), output: out }); });
+  });
+}
+
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+
+// --- the updater -------------------------------------------------------------
+
+export class AutoUpdater {
+  constructor({
+    globalDir = defaultGlobalDir(),
+    packageName = PACKAGE_NAME,
+    port = Number(process.env.WILD_WORKSPACE_PORT || 5173),
+    installedVersionImpl = () => installedVersion(),
+    fetchLatestImpl = fetchLatestVersion,
+    installImpl = npmInstall,
+    // Ask the owner (the supervisor) to restart the server child so the freshly
+    // installed code is loaded. Default no-op for standalone/manual use.
+    restartImpl = async () => {},
+    // Read the RUNNING server's version (probeHealthVersion bound to our port).
+    healthVersionImpl = (port_) => probeHealthVersion(port_),
+    nowImpl = () => Date.now(),
+    logImpl = () => {},
+    env = process.env,
+    checkIntervalMs = DEFAULT_CHECK_INTERVAL_MS,
+    verifyAttempts = 10,
+    verifyDelayMs = 3000,
+    sleepImpl = sleep,
+    onUpdate = null, // (rec) => void — surface the "updated to vX" note
+  } = {}) {
+    Object.assign(this, {
+      globalDir, packageName, port, installedVersionImpl, fetchLatestImpl, installImpl,
+      restartImpl, healthVersionImpl, nowImpl, logImpl, env,
+      checkIntervalMs, verifyAttempts, verifyDelayMs, sleepImpl, onUpdate,
+    });
+    this.inProgress = false;
+  }
+
+  enabled() {
+    if (this.env.WILD_WORKSPACE_NO_AUTOUPDATE === '1') return false; // hard kill switch
+    return loadUpdateSettings(this.globalDir).enabled;
+  }
+
+  channel() { return loadUpdateSettings(this.globalDir).channel; }
+
+  dueForCheck(settings = loadUpdateSettings(this.globalDir)) {
+    return this.nowImpl() - (settings.lastCheckAt || 0) >= this.checkIntervalMs;
+  }
+
+  /** What's installed vs what's published — { current, latest, channel, available }. */
+  async check() {
+    const current = this.installedVersionImpl();
+    const channel = this.channel();
+    const latest = await this.fetchLatestImpl(channel, { packageName: this.packageName });
+    return { current, latest, channel, available: isNewer(latest, current) };
+  }
+
+  /** Poll the running server until it reports `expected`, up to verifyAttempts. */
+  async verify(expected) {
+    for (let i = 0; i < this.verifyAttempts; i++) {
+      let running = null;
+      try { running = await this.healthVersionImpl(this.port); } catch { running = null; }
+      if (running && running === expected) return true;
+      await this.sleepImpl(this.verifyDelayMs);
+    }
+    return false;
+  }
+
+  /**
+   * Install `target`, restart, verify healthy; on failure roll back to `from`.
+   * Returns { ok, stage?, rolledBack?, rec }. Records the outcome to update.json.
+   */
+  async applyUpdate(target, { from } = {}) {
+    this.logImpl(`auto-update: installing ${this.packageName}@${target} (from ${from || 'unknown'})`);
+    const install = await this.installImpl(`${this.packageName}@${target}`);
+    if (install.code !== 0) {
+      this.logImpl(`auto-update: install failed code=${install.code}${install.timedOut ? ' (timeout)' : ''}`);
+      const rec = recordUpdate(this.globalDir, { from, to: target, at: this.nowImpl(), status: 'install-failed' });
+      this.onUpdate?.(rec);
+      return { ok: false, stage: 'install', install, rec };
+    }
+    await this.restartImpl();
+    if (await this.verify(target)) {
+      this.logImpl(`auto-update: now running ${target}`);
+      const rec = recordUpdate(this.globalDir, { from, to: target, at: this.nowImpl(), status: 'ok' });
+      this.onUpdate?.(rec);
+      return { ok: true, rec };
+    }
+    // New version didn't come up healthy → roll back to the pinned previous.
+    this.logImpl(`auto-update: ${target} unhealthy — rolling back to ${from}`);
+    let rolledBack = false;
+    if (from) {
+      const rb = await this.installImpl(`${this.packageName}@${from}`);
+      if (rb.code === 0) { await this.restartImpl(); rolledBack = await this.verify(from); }
+    }
+    const status = rolledBack ? 'rolled-back' : 'rollback-failed';
+    this.logImpl(`auto-update: ${status} (target ${target})`);
+    const rec = recordUpdate(this.globalDir, { from, to: target, at: this.nowImpl(), status });
+    this.onUpdate?.(rec);
+    return { ok: false, stage: 'verify', rolledBack, rec };
+  }
+
+  /**
+   * One auto-update cycle, called on the supervisor's slow timer. Self-rate-limits
+   * via dueForCheck so the timer cadence and the check interval are independent.
+   * Returns a short status string (exposed for tests/logging).
+   */
+  async tick() {
+    if (this.inProgress) return 'busy';
+    if (!this.enabled()) return 'disabled';
+    if (!this.dueForCheck()) return 'not-due';
+    this.inProgress = true;
+    try {
+      touchLastCheck(this.globalDir, this.nowImpl());
+      const c = await this.check();
+      if (!c.latest) return 'check-failed';
+      if (!c.available) return 'up-to-date';
+      this.logImpl(`auto-update: ${c.current} → ${c.latest} (${c.channel})`);
+      const r = await this.applyUpdate(c.latest, { from: c.current });
+      return r.ok ? 'updated' : (r.rolledBack ? 'rolled-back' : 'failed');
+    } finally {
+      this.inProgress = false;
+    }
+  }
+}

package/server/src/config.mjs

@@ -312,6 +312,12 @@ export function buildConfig(overrides = {}) {
       overrides.operatorToken ??
       env.WILD_WORKSPACE_OPERATOR_TOKEN ??
       loadOperatorToken(dataDir),
+    // RC1 hot-reload seam: the EXPLICIT token (override or env), with NO disk read.
+    // When this is null the live auth path re-reads the token file on each request
+    // (getOperatorToken) so `operator enable` takes effect with no restart; when a
+    // test/env pins a token, that value stays authoritative. (See index.mjs.)
+    operatorTokenExplicit:
+      overrides.operatorToken ?? env.WILD_WORKSPACE_OPERATOR_TOKEN ?? null,
     workspaceId:
       overrides.workspaceId ||
       env.WILD_WORKSPACE_ID ||

package/server/src/doctor.mjs

@@ -21,7 +21,7 @@ import { resolveDaemonBinary } from './daemon-bin.mjs';
 import { checkPort } from './preview.mjs';
 import { loadAccount } from './account.mjs';
 import { serviceStatus } from './service.mjs';
-import { probeHealth } from './supervisor.mjs';
+import { probeHealth, probeHealthVersion } from './supervisor.mjs';
 import { listLogs, diagnosticsDir } from './logpaths.mjs';
 
 const STATUS_ICON = { ok: '✅', warn: '⚠️', fail: '❌', info: 'ℹ️' };
@@ -36,6 +36,27 @@ function nodeMajor(version = process.version) {
   return m ? Number(m[1]) : 0;
 }
 
+// RC3: probe the LIVE public tunnel end-to-end — out to Cloudflare, through the
+// relay, down the daemon's tunnel, back to this server. This is the check the old
+// `doctor` lacked: it only resolved the slug in the registry (claimed in the DB),
+// which stays green even when `<slug>.venturewild.llc` is 502. A 200 here proves
+// the whole chain works; a 5xx/timeout is the exact RC2 "linked but unreachable".
+async function probeTunnel(slug, fetchImpl, timeoutMs = 8000) {
+  const url = `https://${encodeURIComponent(slug)}.venturewild.llc/api/health`;
+  const ctrl = new AbortController();
+  const timer = setTimeout(() => ctrl.abort(), timeoutMs);
+  try {
+    const res = await fetchImpl(url, { signal: ctrl.signal, headers: { 'cache-control': 'no-cache' } });
+    let version = null;
+    try { version = (await res.json())?.version || null; } catch { /* non-JSON */ }
+    return { reachable: true, status: res.status, version, url };
+  } catch (e) {
+    return { reachable: false, error: String(e?.message || e), url };
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
 // Reach the bmo-sync registry: resolve the user's slug if linked, else /health.
 async function probeRegistry(config, fetchImpl) {
   const base = String(config.bmoSyncServerUrl || '').replace(/\/$/, '');
@@ -71,6 +92,7 @@ export async function runDoctor(opts = {}, deps = {}) {
     serviceStatus: deps.serviceStatus || serviceStatus,
     listLogs: deps.listLogs || listLogs,
     fetchImpl: deps.fetchImpl || ((...a) => globalThis.fetch(...a)),
+    probeRunningVersion: deps.probeRunningVersion || probeHealthVersion,
   };
   const checks = [];
   const add = (c) => checks.push(c);
@@ -155,6 +177,26 @@ export async function runDoctor(opts = {}, deps = {}) {
       : { status: 'ok', detail: 'free', hint: null };
   });
 
+  // 5b. Running server version vs installed (RC3). `doctor` runs as the
+  // freshly-invoked CLI, so APP_VERSION here == the version installed on disk.
+  // If a server is answering :port with a DIFFERENT version, it's running stale
+  // code from before the last upgrade — the "kept running 0.1.14 after 0.2.1"
+  // failure. Surface it so the fix (restart) is obvious instead of invisible.
+  await guarded('runningVersion', 'Running version', async () => {
+    const running = await d.probeRunningVersion(config.port);
+    if (!running) {
+      return { status: 'info', detail: `no server answering :${config.port} (not started yet)`, hint: null };
+    }
+    if (running === APP_VERSION) {
+      return { status: 'ok', detail: `v${running} (matches installed)`, hint: null };
+    }
+    return {
+      status: 'warn',
+      detail: `running v${running}, but v${APP_VERSION} is installed`,
+      hint: 'A workspace server is running older code than what is installed. Restart it (close the app — always-on restarts it clean) to finish the upgrade.',
+    };
+  });
+
   // 6. Account linked (slug)
   let account = null;
   await guarded('account', 'Workspace account linked', async () => {
@@ -181,6 +223,38 @@ export async function runDoctor(opts = {}, deps = {}) {
       : { status: 'warn', detail: `server returned HTTP ${r.status}`, hint: null };
   });
 
+  // 7b. Public URL reachable end-to-end (RC3). Only meaningful once linked. This
+  // is the half the old doctor was blind to — the registry check above can be
+  // green (slug claimed) while this is red (tunnel down). Together they tell the
+  // two apart: claimed-but-unreachable ⟹ the daemon link is broken (RC2), the
+  // operator/auto-relink path is the fix.
+  await guarded('tunnel', 'Public URL reachable', async () => {
+    const slug = account?.slug || config.account?.slug || null;
+    if (!slug) {
+      return { status: 'info', detail: 'not linked — no public URL yet', hint: null };
+    }
+    const r = await probeTunnel(slug, d.fetchImpl);
+    if (!r.reachable) {
+      return {
+        status: 'fail',
+        detail: `${r.url} unreachable: ${r.error}`,
+        hint: 'The public link is down. Restart sync (`wild-workspace daemon stop` then `wild-workspace`), or the operator `relink-account` fix.',
+      };
+    }
+    if (r.status >= 500) {
+      return {
+        status: 'fail',
+        detail: `${r.url} returned HTTP ${r.status} (tunnel down — slug claimed but not linked)`,
+        hint: 'The daemon is not linked to the relay. Restart sync (`wild-workspace daemon stop` then `wild-workspace`).',
+      };
+    }
+    if (r.status >= 400) {
+      // 401/403/404 = the chain works; auth/slug is the nuance, not a tunnel fault.
+      return { status: 'warn', detail: `reachable but HTTP ${r.status} (auth/slug check)`, hint: null };
+    }
+    return { status: 'ok', detail: `live (HTTP ${r.status}${r.version ? `, v${r.version}` : ''})`, hint: null };
+  });
+
   // 8. Always-on / autostart
   await guarded('service', 'Always-on (autostart)', async () => {
     const s = await d.serviceStatus({ port: config.port }, { probeImpl: (p) => probeHealth(p) });

package/server/src/index.mjs

@@ -35,10 +35,12 @@ import { InboxWatcher } from './inbox.mjs';
 import { ActivityBus } from './activity.mjs';
 import { loadIdentity, saveIdentity, markOnboarded, TONES } from './agent-identity.mjs';
 import { probeAgentReadiness } from './agent-readiness.mjs';
+import { AutoUpdater, npmInstall, recordUpdate, loadUpdateSettings, PACKAGE_NAME } from './auto-update.mjs';
 import { ClaudeLoginSession } from './agent-login.mjs';
 import { ErrorReporter } from './error-reporter.mjs';
 import { DaemonBridge } from './daemon.mjs';
 import { DaemonSupervisor } from './daemon-supervisor.mjs';
+import { TunnelWatchdog } from './tunnel-watchdog.mjs';
 import { SyncControl } from './sync.mjs';
 import { detectPreviewPorts, checkPort } from './preview.mjs';
 import { createBazaar } from './bazaar/core.mjs';
@@ -47,6 +49,7 @@ import { matchCandidates } from './bazaar/mock-tickup.mjs';
 import { servePreviewFile, confineBuildDir } from './bazaar/preview-server.mjs';
 import { TURN_SYSTEM_PROMPT, writeTurnMcpConfig } from './turn-mcp.mjs';
 import { loadAccount } from './account.mjs';
+import { getOperatorToken } from './operator.mjs';
 import { runDoctor } from './doctor.mjs';
 import { appendLine, tailFile, logFile, TAILABLE, globalDir } from './logpaths.mjs';
 import { SessionReporter } from './session-reporter.mjs';
@@ -172,6 +175,29 @@ export async function createServer(overrides = {}) {
           .catch((e) => ({ started: false, error: String(e?.message || e) }))
       : Promise.resolve({ started: false, skipped: true });
 
+  // RC2 tunnel self-heal: when this install is slug-linked (so it's SUPPOSED to be
+  // reachable at <slug>.venturewild.llc), watch the public URL end-to-end and
+  // relink the daemon if it goes dead while we're locally healthy. Off without a
+  // daemon supervisor, without a slug, or under tests. `overrides.tunnelWatchdog`
+  // is a test seam (false disables; an object injects options).
+  const relinkDaemon = async () => {
+    if (!daemonSupervisor) return;
+    await daemonSupervisor.stop().catch(() => {});
+    await daemonSupervisor.ensureRunning().catch(() => {});
+  };
+  const tunnelWatchdog =
+    overrides.tunnelWatchdog === false ||
+    !daemonSupervisor ||
+    !config.account?.slug ||
+    !config.daemonAutostart
+      ? null
+      : new TunnelWatchdog({
+          publicBaseUrl: `https://${config.account.slug}.venturewild.llc`,
+          relink: relinkDaemon,
+          log: (m) => log('[tunnel]', m),
+          ...(typeof overrides.tunnelWatchdog === 'object' ? overrides.tunnelWatchdog : {}),
+        }).start();
+
   // Control plane for bmo-sync folder sharing (pair / detach / invite).
   // `overrides.syncControl` is a test seam.
   const syncControl =
@@ -488,6 +514,14 @@ export async function createServer(overrides = {}) {
   const app = new Hono();
 
   // --- auth helpers ---------------------------------------------------------
+  // RC1 hot-reload: resolve the operator token LIVE per request. An explicit
+  // override/env token (tests, pinned deployments) stays authoritative; otherwise
+  // the token file is re-read (TTL-cached) so `operator enable`/`disable` take
+  // effect with no server restart — the literal 401 from the first external
+  // install. `overrides.operatorDataDir` is unused; the file lives in dataDir.
+  const liveOperatorToken = () =>
+    config.operatorTokenExplicit ?? getOperatorToken(config.dataDir);
+
   // Classify one raw token into a role. Shared by the Authorization header, the
   // HttpOnly auth cookie, and the `?t=` query so all three stay consistent.
   // `allowOperator` is true ONLY for the header path — the operator (support)
@@ -498,7 +532,8 @@ export async function createServer(overrides = {}) {
     if (token === config.partnerToken) {
       return { role: ROLES.PARTNER, sub: 'partner', source };
     }
-    if (allowOperator && config.operatorToken && token === config.operatorToken) {
+    const opToken = allowOperator ? liveOperatorToken() : null;
+    if (opToken && token === opToken) {
       return { role: ROLES.OPERATOR, sub: 'operator', source: source || 'operator-token' };
     }
     const payload = await verifyShareToken(token, config.shareSecret);
@@ -985,6 +1020,22 @@ export async function createServer(overrides = {}) {
     return c.json({ agent: agentTag(activeAgent), ...verdict });
   });
 
+  // Auto-update status (Phase 2) — what's running, the channel, on/off, and the
+  // last update outcome (the "updated to vX" note the UI can surface). Read-only;
+  // the toggle/apply levers are the CLI + the operator channel.
+  app.get('/api/update/status', (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    const s = loadUpdateSettings(globalDir());
+    return c.json({
+      current: APP_VERSION,
+      enabled: s.enabled,
+      channel: s.channel,
+      lastCheckAt: s.lastCheckAt || null,
+      lastUpdate: s.lastUpdate || null,
+    });
+  });
+
   // In-app "Sign in to Claude" — drives `claude auth login` in a real PTY so the
   // browser OAuth callback auto-completes and the user never touches a terminal.
   // (See agent-login.mjs.) Claude opens the OAuth URL in the user's browser itself
@@ -1220,7 +1271,9 @@ export async function createServer(overrides = {}) {
     spawn,
     ...(overrides.operatorDeps || {}),
   };
-  const operatorEnabled = () => Boolean(config.operatorToken);
+  // Live so `operator enable` (run in a separate CLI process) lights the channel
+  // up without a server restart, and `operator disable` takes it dark (RC1).
+  const operatorEnabled = () => Boolean(liveOperatorToken());
   function auditOperator(c, action, detail) {
     const s = c.get('session') || {};
     appendLine('operator', `${action} by=${s.sub || 'operator'} src=${s.source || '-'} ${detail || ''}`.trim());
@@ -1267,6 +1320,24 @@ export async function createServer(overrides = {}) {
       child?.on?.('exit', (code) => appendLine('operator', `reinstall-daemon exited code=${code}`));
       return { started: true, pid: child?.pid || null, command: `${cmd} i -g @venturewild/workspace` };
     },
+    // Phase 2: check the user's channel and install a newer version if one exists.
+    // The always-on supervisor's version-drift auto-restart (RC1b) then loads it;
+    // the supervisor also owns autonomous health-gated rollback. This is the
+    // remote-support trigger for the same flow (Phase 3 capability).
+    'update-now': async () => {
+      const gdir = globalDir();
+      const check = await (operatorDeps.checkUpdate
+        ? operatorDeps.checkUpdate()
+        : new AutoUpdater({ globalDir: gdir }).check());
+      if (!check.latest) return { ok: false, reason: 'registry-unreachable', current: check.current };
+      if (!check.available) return { ok: true, updated: false, current: check.current, latest: check.latest };
+      appendLine('operator', `update-now installing ${check.current} → ${check.latest} (${check.channel})`);
+      const res = await (operatorDeps.npmInstall || npmInstall)(`${PACKAGE_NAME}@${check.latest}`);
+      const ok = res.code === 0;
+      if (ok) recordUpdate(gdir, { from: check.current, to: check.latest, at: Date.now(), status: 'installed' });
+      appendLine('operator', `update-now ${ok ? 'installed' : `failed code=${res.code}`}`);
+      return { ok, updated: ok, from: check.current, to: check.latest, code: res.code };
+    },
   };
 
   app.get('/api/operator/diag', async (c) => {
@@ -1887,6 +1958,7 @@ export async function createServer(overrides = {}) {
     daemonBridge,
     daemonSupervisor,
     daemonReady,
+    tunnelWatchdog,
     syncControl,
     sessionReporter,
     detectedAgents,
@@ -1898,6 +1970,7 @@ export async function createServer(overrides = {}) {
       try { transcriptRecorder.stop(); } catch {}
       try { inboxWatcher.stop(); } catch {}
       try { daemonBridge?.stop(); } catch {}
+      try { tunnelWatchdog?.stop(); } catch {}
       // The daemon is deliberately NOT stopped here — it is detached so sync
       // keeps running after wild-workspace closes. `wild-workspace daemon
       // stop` is the explicit off-switch.

package/server/src/operator.mjs

@@ -29,6 +29,33 @@ export function loadOperatorToken(dataDir) {
   }
 }
 
+// RC1 hot-reload: read the operator token LIVE (with a tiny TTL cache) instead of
+// the value the server snapshotted at boot. Today `operator enable` writes the
+// token to disk but a long-running server keeps serving its cached "disabled"
+// state, so the channel 401s until a manual restart (the exact bug from the first
+// external install). A short TTL keeps this off the hot auth path — every request
+// reads from cache, and `enable`/`disable` take effect within `ttlMs`.
+//
+// The cache is keyed by dataDir so two servers (tests, multiple installs) in one
+// process don't read each other's tokens. `now` is injectable for tests.
+const _tokenCache = new Map(); // dataDir -> { token, at }
+export function getOperatorToken(dataDir, { ttlMs = 2000, now = Date.now } = {}) {
+  const t = now();
+  const hit = _tokenCache.get(dataDir);
+  if (hit && t - hit.at < ttlMs) return hit.token;
+  const token = loadOperatorToken(dataDir);
+  _tokenCache.set(dataDir, { token, at: t });
+  return token;
+}
+
+// Drop the cached token for a dataDir (or all of them). `enable`/`disable` run in
+// a separate CLI process from the server, so they don't need this — it exists so
+// in-process callers (and tests) can force a re-read without waiting out the TTL.
+export function invalidateOperatorTokenCache(dataDir) {
+  if (dataDir === undefined) _tokenCache.clear();
+  else _tokenCache.delete(dataDir);
+}
+
 // Turn the channel on. Idempotent by default — returns the existing token if one
 // is already set (so a re-run doesn't invalidate the code the user already
 // shared). Pass { rotate:true } to force a fresh token. Returns the token, or

package/server/src/supervisor.mjs

@@ -41,6 +41,47 @@ export function probeHealth(port, timeoutMs = 2500) {
   });
 }
 
+/**
+ * Ask the running server its version via /api/health. Returns the version string
+ * or null (server down / no version field / parse error). Never throws. Used by
+ * the version-drift check (RC1) — a stale server keeps running its OLD code after
+ * an upgrade, so we compare what's RUNNING to what's INSTALLED on disk.
+ */
+export function probeHealthVersion(port, timeoutMs = 2500) {
+  return new Promise((resolve) => {
+    const req = http.get(
+      { host: '127.0.0.1', port, path: '/api/health', timeout: timeoutMs },
+      (res) => {
+        let body = '';
+        res.on('data', (d) => { body += d; if (body.length > 4096) req.destroy(); });
+        res.on('end', () => {
+          try { resolve(JSON.parse(body).version || null); } catch { resolve(null); }
+        });
+      },
+    );
+    req.on('error', () => resolve(null));
+    req.on('timeout', () => { req.destroy(); resolve(null); });
+  });
+}
+
+/**
+ * The version installed on disk RIGHT NOW — read fresh from the package.json that
+ * ships next to this file, NOT the in-memory APP_VERSION constant. The supervisor
+ * is long-lived: after `npm i -g` (or the operator `reinstall-daemon`) swaps the
+ * package, the supervisor's own constant is stale too, so only a fresh disk read
+ * sees the new version. Respawning the server child reloads index.mjs from this
+ * same path, so the restart actually picks up the new code. Returns null on error.
+ */
+export function installedVersion(entry = DEFAULT_SERVER_ENTRY) {
+  try {
+    // index.mjs lives at <pkg>/server/src/index.mjs → package.json is ../../.
+    const pkg = path.resolve(path.dirname(entry), '..', '..', 'package.json');
+    return JSON.parse(fs.readFileSync(pkg, 'utf8')).version || null;
+  } catch {
+    return null;
+  }
+}
+
 export class WorkspaceSupervisor {
   constructor({
     serverEntry = DEFAULT_SERVER_ENTRY,
@@ -58,12 +99,32 @@ export class WorkspaceSupervisor {
     env = process.env,
     crashLoopThreshold = 3,
     diagnosticsImpl = null,
+    // RC1 version-drift auto-restart: when the RUNNING server reports an older
+    // version than what's INSTALLED on disk, restart it so it picks up the new
+    // code. On by default; seams injected for tests. WILD_WORKSPACE_NO_AUTORESTART=1
+    // disables it (e.g. a developer running an intentionally-older server).
+    autoRestartOnVersionDrift = env.WILD_WORKSPACE_NO_AUTORESTART !== '1',
+    versionImpl = probeHealthVersion,
+    installedVersionImpl = () => installedVersion(serverEntry),
+    // Phase 2 auto-update (Pillar B): the always-on supervisor self-updates the
+    // whole stack on the user's channel, with health-gated rollback. On by
+    // default; the env kill switch + the persisted off switch both disable it.
+    // Only wired up in start() (not in the unit-test path, which calls tick()
+    // directly) — see start(). updatePollMs is the *wake* cadence; the actual
+    // check interval lives inside AutoUpdater (6h) and self-rate-limits.
+    autoUpdate = env.WILD_WORKSPACE_NO_AUTOUPDATE !== '1',
+    updatePollMs = 60 * 60 * 1000, // wake hourly; AutoUpdater gates real checks
+    autoUpdaterFactory = null, //     test seam: (supervisor) => AutoUpdater-like
   } = {}) {
     Object.assign(this, {
       serverEntry, workspaceDir, port, globalDir, node, pollMs,
       backoffStartMs, backoffMaxMs, probeTimeoutMs, spawnImpl, probeImpl, nowImpl, env,
       crashLoopThreshold, diagnosticsImpl,
+      autoRestartOnVersionDrift, versionImpl, installedVersionImpl,
+      autoUpdate, updatePollMs, autoUpdaterFactory,
     });
+    this.autoUpdater = null;
+    this.updateTimer = null;
     this.logFile = path.join(globalDir, 'supervisor.log');
     this.serverLogFile = path.join(globalDir, 'server.out.log');
     this.lockFile = path.join(globalDir, 'supervisor.lock');
@@ -135,6 +196,28 @@ export class WorkspaceSupervisor {
       this.backoff = this.backoffStartMs; // healthy → reset backoff
       this.spawnCount = 0; //              healthy → not a crash loop
       this.pushedThisEpisode = false;
+      // RC1 version drift: a healthy-but-STALE server (running older code than
+      // what's installed) should be restarted so the upgrade actually lands.
+      // Only when WE own the child — we restart by killing it and letting the
+      // next tick respawn (which reloads index.mjs from disk). A server started
+      // by someone else (foreground `wild-workspace`) we leave alone; we have no
+      // handle on it. The restarted server reports the installed version, so the
+      // drift clears and this won't loop.
+      if (this.autoRestartOnVersionDrift && this.child) {
+        try {
+          const running = await this.versionImpl(this.port, this.probeTimeoutMs);
+          const installed = this.installedVersionImpl();
+          if (running && installed && running !== installed) {
+            this.log(`version drift: running=${running} installed=${installed} — restarting server`);
+            try { this.child.kill(); } catch { /* exit handler clears child */ }
+            this.child = null;
+            this.backoff = this.backoffStartMs; // upgrade is intentional, not a crash
+            return 'version-drift-restart';
+          }
+        } catch (e) {
+          this.log(`version-drift check error: ${e?.message || e}`);
+        }
+      }
       return 'healthy';
     }
     if (this.child) return 'booting';                                  // spawned, still coming up
@@ -198,6 +281,47 @@ export class WorkspaceSupervisor {
     }
   }
 
+  /**
+   * Restart the supervised server child so freshly installed code is loaded.
+   * Kills it and lets the next tick respawn (which reloads index.mjs from disk) —
+   * the same mechanism as the version-drift restart, exposed for the AutoUpdater.
+   * No-op (returns false) when we don't own a child (foreground server).
+   */
+  restartChild() {
+    if (!this.child) return false;
+    this.log('restartChild: killing server to load new code');
+    try { this.child.kill(); } catch { /* exit handler clears child */ }
+    this.child = null;
+    this.backoff = this.backoffStartMs; // an intentional restart, not a crash
+    return true;
+  }
+
+  /** Build the AutoUpdater bound to this supervisor. Separated for the test seam. */
+  async buildAutoUpdater() {
+    if (this.autoUpdaterFactory) return this.autoUpdaterFactory(this);
+    // Lazy import keeps the unit-test path (which never calls start()) free of the
+    // auto-update module + its registry/npm seams.
+    const { AutoUpdater } = await import('./auto-update.mjs');
+    return new AutoUpdater({
+      globalDir: this.globalDir,
+      port: this.port,
+      installedVersionImpl: this.installedVersionImpl,
+      healthVersionImpl: (port) => this.versionImpl(port, this.probeTimeoutMs),
+      restartImpl: async () => { this.restartChild(); },
+      nowImpl: this.nowImpl,
+      env: this.env,
+      logImpl: (m) => this.log(m),
+      onUpdate: (rec) => this.log(`auto-update result: ${rec.from || '?'}→${rec.to} ${rec.status}`),
+    });
+  }
+
+  runUpdateTick() {
+    if (!this.autoUpdater) return;
+    this.autoUpdater.tick()
+      .then((r) => { if (r && !['not-due', 'disabled', 'up-to-date', 'busy'].includes(r)) this.log(`auto-update tick: ${r}`); })
+      .catch((e) => this.log(`auto-update error: ${e?.message || e}`));
+  }
+
   /** Acquire the lock and start the supervision loop. Idempotent across processes. */
   start() {
     if (!this.acquireLock()) return { started: false, reason: 'already-running' };
@@ -207,11 +331,24 @@ export class WorkspaceSupervisor {
     this.log(`supervisor start pid=${process.pid} watching http://127.0.0.1:${this.port}/api/health (workspace=${this.workspaceDir})`);
     this.timer = setInterval(() => { this.tick().catch((e) => this.log(`tick error: ${e?.message || e}`)); }, this.pollMs);
     this.tick().catch((e) => this.log(`tick error: ${e?.message || e}`));
+
+    // Phase 2 auto-update: wake on a slow timer; the first check fires shortly
+    // after start so the server has time to come up (verify reads its /health).
+    if (this.autoUpdate && this.env.VITEST !== 'true' && this.env.NODE_ENV !== 'test') {
+      this.buildAutoUpdater().then((u) => {
+        this.autoUpdater = u;
+        this.updateTimer = setInterval(() => this.runUpdateTick(), this.updatePollMs);
+        if (this.updateTimer.unref) this.updateTimer.unref();
+        const kick = setTimeout(() => this.runUpdateTick(), 60_000);
+        if (kick.unref) kick.unref();
+      }).catch((e) => this.log(`auto-update init error: ${e?.message || e}`));
+    }
     return { started: true };
   }
 
   stop() {
     if (this.timer) { clearInterval(this.timer); this.timer = null; }
+    if (this.updateTimer) { clearInterval(this.updateTimer); this.updateTimer = null; }
     this.releaseLock();
   }
 }

package/server/src/tunnel-watchdog.mjs

@@ -0,0 +1,153 @@
+// TunnelWatchdog — RC2 self-heal for "slug-linked but the public URL is dead".
+//
+// The bug from the first external install: after a restart the daemon was
+// "running" but never re-linked to the relay, so `<slug>.venturewild.llc` was 502
+// while `localhost:5173` was perfectly healthy. Nothing noticed the half: the
+// install thought it was online. (`docs/remote-support-and-self-healing-design.md`
+// RC2 — a sibling of the half-open-after-sleep fix already shipped in the daemon.)
+//
+// This watchdog closes that gap from the workspace server (no Rust change): it
+// periodically asks our OWN public URL for /api/health. That request travels the
+// full chain — out to Cloudflare, through the relay, down the daemon's tunnel,
+// back to this server — so a 200 proves the whole path works. When the public
+// side fails repeatedly WHILE the local server is healthy (so the fault is the
+// LINK, not the server), it relinks the daemon — the same remedy as the operator
+// `relink-account` action, applied automatically.
+//
+// Conservative by design: it acts only on a sustained failure (threshold), never
+// relinks more often than `minRelinkIntervalMs`, and treats a down LOCAL server
+// as "not my job" (the WorkspaceSupervisor owns that). Every touch-point is an
+// injected seam so the suite never hits the network.
+//
+// SAFETY against thrash: a relink only helps when THIS daemon's link to the relay
+// is the broken part. When the relay itself is globally down (or otherwise can't
+// accept the link), relinking can't help — so retrying every interval just churns
+// the daemon. Relinks that DON'T restore the tunnel are counted, and after
+// `maxIneffectiveRelinks` the watchdog escalates to a long `longCooldownMs` quiet
+// period; a relink that works clears the counter (the next probe is healthy), so
+// the genuine RC2 case still self-heals fast.
+//
+// (Product model: one machine = one install = one daemon = one public slug;
+// multi-folder work is VS-Code-style within that single install. So co-tenant
+// daemon contention is NOT a supported state — this guard is for the relay-down /
+// transient-unreachable case, which is the real one. A two-install-per-machine
+// setup, as seen while dogfooding on 2026-06-07, is a test artifact only.)
+
+const DEFAULT_INTERVAL_MS = 60_000;
+const DEFAULT_PROBE_TIMEOUT_MS = 8_000;
+
+export class TunnelWatchdog {
+  /**
+   * @param {object} opts
+   * @param {string} opts.publicBaseUrl     e.g. https://<slug>.venturewild.llc
+   * @param {Function} opts.relink          async () => relink the daemon (stop+ensureRunning)
+   * @param {Function} [opts.localHealthy]  async () => boolean; default assumes healthy
+   * @param {Function} [opts.fetchImpl]
+   * @param {Function} [opts.nowImpl]
+   * @param {Function} [opts.log]
+   */
+  constructor({
+    publicBaseUrl,
+    relink,
+    localHealthy = async () => true,
+    fetchImpl = (...a) => globalThis.fetch(...a),
+    nowImpl = () => Date.now(),
+    log = () => {},
+    intervalMs = DEFAULT_INTERVAL_MS,
+    failureThreshold = 3,
+    minRelinkIntervalMs = 120_000,
+    maxIneffectiveRelinks = 3,
+    longCooldownMs = 1_800_000, // 30 min quiet period once relinks stop helping
+    probeTimeoutMs = DEFAULT_PROBE_TIMEOUT_MS,
+  } = {}) {
+    this.publicBaseUrl = String(publicBaseUrl || '').replace(/\/+$/, '');
+    this.relink = relink;
+    this.localHealthy = localHealthy;
+    this.fetchImpl = fetchImpl;
+    this.nowImpl = nowImpl;
+    this.log = log;
+    this.intervalMs = intervalMs;
+    this.failureThreshold = failureThreshold;
+    this.minRelinkIntervalMs = minRelinkIntervalMs;
+    this.maxIneffectiveRelinks = maxIneffectiveRelinks;
+    this.longCooldownMs = longCooldownMs;
+    this.probeTimeoutMs = probeTimeoutMs;
+    this.failures = 0;
+    this.lastRelink = 0;
+    this.consecutiveRelinks = 0; // relinks since the last healthy probe (thrash guard)
+    this.timer = null;
+  }
+
+  /** Probe the public /api/health. Returns true iff it answers (any HTTP status). */
+  async probePublic() {
+    if (!this.publicBaseUrl) return false;
+    const ctrl = new AbortController();
+    const t = setTimeout(() => ctrl.abort(), this.probeTimeoutMs);
+    try {
+      const res = await this.fetchImpl(`${this.publicBaseUrl}/api/health`, {
+        signal: ctrl.signal,
+        // never cached by the edge — we want the live tunnel, not a CDN copy
+        headers: { 'cache-control': 'no-cache' },
+      });
+      // A 5xx from the tunnel layer (502/504) means the link is down even though
+      // we got an HTTP response from the edge; treat only <500 as "reachable".
+      return res.status < 500;
+    } catch {
+      return false; // network error / timeout / abort
+    } finally {
+      clearTimeout(t);
+    }
+  }
+
+  /** One watchdog step. Returns its decision (exposed for tests). */
+  async tick() {
+    // Local server down → the WorkspaceSupervisor's problem, not ours. A failing
+    // public probe in that state says nothing about the LINK, so don't relink.
+    if (!(await this.localHealthy())) {
+      this.failures = 0;
+      return 'local-down';
+    }
+    if (await this.probePublic()) {
+      this.failures = 0;
+      this.consecutiveRelinks = 0; // the link is up → any prior relink worked
+      return 'healthy';
+    }
+    this.failures += 1;
+    if (this.failures < this.failureThreshold) return 'degraded';
+    const now = this.nowImpl();
+    // Relinks that aren't restoring the tunnel (shared daemon / relay down) earn an
+    // escalating quiet period so we never thrash a co-tenant's daemon (real finding).
+    const cooldown =
+      this.consecutiveRelinks >= this.maxIneffectiveRelinks
+        ? this.longCooldownMs
+        : this.minRelinkIntervalMs;
+    if (now - this.lastRelink < cooldown) return 'cooldown';
+    this.lastRelink = now;
+    this.failures = 0;
+    this.consecutiveRelinks += 1;
+    this.log(
+      `public tunnel unreachable while local is healthy — relinking daemon` +
+        ` (attempt ${this.consecutiveRelinks} since last healthy)`,
+    );
+    try {
+      await this.relink();
+      return 'relinked';
+    } catch (e) {
+      this.log(`relink failed: ${e?.message || e}`);
+      return 'relink-error';
+    }
+  }
+
+  start() {
+    if (this.timer) return this;
+    this.timer = setInterval(() => {
+      this.tick().catch((e) => this.log(`tick error: ${e?.message || e}`));
+    }, this.intervalMs);
+    if (this.timer.unref) this.timer.unref(); // never keep the process alive
+    return this;
+  }
+
+  stop() {
+    if (this.timer) { clearInterval(this.timer); this.timer = null; }
+  }
+}