@venturewild/workspace 0.3.2 → 0.3.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@venturewild/workspace",
-  "version": "0.3.2",
+  "version": "0.3.3",
   "description": "Claude Code Web — Replit/Lovable-style chat-first browser UI that wraps the AI agent already installed on your machine.",
   "license": "MIT",
   "bin": {

package/server/src/daemon-bin.mjs

@@ -86,3 +86,25 @@ export function resolveDaemonVersion({ env = process.env, requireResolve } = {})
     return null;
   }
 }
+
+/**
+ * The daemon version the INSTALLED meta package PINS for this platform — read
+ * from the meta `package.json`'s optionalDependencies. This is the version
+ * `npm i -g @venturewild/workspace@<v>` is SUPPOSED to have pulled onto disk.
+ * Comparing it to resolveDaemonVersion() catches the go-live failure where the
+ * meta package updated but its daemon optionalDependency on disk lagged behind
+ * (the tangled Windows dev box stuck on the @0.2.0-era daemon). Returns the
+ * pinned version string, or null when it can't be read. Self-contained: reads the
+ * meta package.json that ships two dirs up from this file.
+ */
+export function expectedDaemonVersion({ metaPkgPath } = {}) {
+  const tag = platformTag();
+  try {
+    const pkg = metaPkgPath || path.resolve(__dirname, '..', '..', 'package.json');
+    const parsed = JSON.parse(readFileSync(pkg, 'utf8'));
+    const v = parsed?.optionalDependencies?.[`@venturewild/workspace-daemon-${tag}`];
+    return typeof v === 'string' ? v.replace(/^[~^]/, '') : null;
+  } catch {
+    return null;
+  }
+}

package/server/src/doctor.mjs

@@ -17,12 +17,25 @@ import path from 'node:path';
 import { buildConfig, APP_VERSION } from './config.mjs';
 import { detectAgents, pickDefaultAgent } from './agent.mjs';
 import { probeAgentReadiness } from './agent-readiness.mjs';
-import { resolveDaemonBinary } from './daemon-bin.mjs';
+import { resolveDaemonBinary, resolveDaemonVersion, expectedDaemonVersion } from './daemon-bin.mjs';
 import { checkPort } from './preview.mjs';
 import { loadAccount } from './account.mjs';
 import { serviceStatus } from './service.mjs';
 import { probeHealth, probeHealthVersion } from './supervisor.mjs';
-import { listLogs, diagnosticsDir } from './logpaths.mjs';
+import { listLogs, diagnosticsDir, globalDir } from './logpaths.mjs';
+
+// The daemon version the currently-RUNNING daemon was spawned under — the marker
+// the supervisor writes to ~/.wild-workspace/daemon-runtime.json (the daemon's
+// own /health reports no version). null when unread (never started / no marker).
+function readRunningDaemonVersion(env = process.env) {
+  try {
+    const file = path.join(globalDir(env), 'daemon-runtime.json');
+    const v = JSON.parse(fs.readFileSync(file, 'utf8'))?.daemonVersion;
+    return typeof v === 'string' ? v : null;
+  } catch {
+    return null;
+  }
+}
 
 const STATUS_ICON = { ok: '✅', warn: '⚠️', fail: '❌', info: 'ℹ️' };
 
@@ -93,6 +106,9 @@ export async function runDoctor(opts = {}, deps = {}) {
     listLogs: deps.listLogs || listLogs,
     fetchImpl: deps.fetchImpl || ((...a) => globalThis.fetch(...a)),
     probeRunningVersion: deps.probeRunningVersion || probeHealthVersion,
+    daemonInstalledVersion: deps.daemonInstalledVersion || (() => resolveDaemonVersion({ env })),
+    daemonExpectedVersion: deps.daemonExpectedVersion || (() => expectedDaemonVersion()),
+    daemonRunningVersion: deps.daemonRunningVersion || (() => readRunningDaemonVersion(env)),
   };
   const checks = [];
   const add = (c) => checks.push(c);
@@ -169,6 +185,45 @@ export async function runDoctor(opts = {}, deps = {}) {
     return { status: 'ok', detail: `${r.path} (${r.source})`, hint: null };
   });
 
+  // 4b. Daemon version drift (the go-live stale-process finding, Part 8). Three
+  // versions should agree: what the meta package PINS (expected), what's actually
+  // on disk (installed subpackage), and what the live daemon was spawned under
+  // (running marker). A mismatch is the exact "support channel silently 504s after
+  // an update" chain — the meta package updated but the daemon binary on disk
+  // lagged, or the daemon kept running old code. Surfaced so the fix (reinstall /
+  // restart) is obvious instead of invisible.
+  await guarded('daemonVersion', 'Sync daemon version', async () => {
+    const expected = d.daemonExpectedVersion();
+    const installed = d.daemonInstalledVersion();
+    const running = d.daemonRunningVersion();
+    const bits = [`pinned=${expected || '?'}`, `installed=${installed || 'PATH/vendor'}`, `running=${running || 'not started'}`];
+    const detail = bits.join(' ');
+    // Meta pins a version but the on-disk daemon subpackage is a DIFFERENT one →
+    // `npm i -g` didn't refresh the optionalDependency (the Windows dev box lag).
+    if (expected && installed && expected !== installed) {
+      return {
+        status: 'warn',
+        detail,
+        hint: `The daemon on disk (${installed}) does not match what this version pins (${expected}). Reinstall to refresh it: npm i -g @venturewild/workspace@latest`,
+      };
+    }
+    // The live daemon is running an older binary than what's installed → it needs
+    // a recycle (the always-on supervisor does this on its next tick).
+    if (installed && running && installed !== running) {
+      return {
+        status: 'warn',
+        detail,
+        hint: `The running daemon (${running}) is older than installed (${installed}). Always-on recycles it automatically; or restart sync (\`wild-workspace daemon stop\` then \`wild-workspace\`).`,
+      };
+    }
+    if (!installed) {
+      // PATH/vendor resolution — can't compare versions; the daemonBinary check
+      // above already warns about the missing bundled binary.
+      return { status: 'info', detail, hint: null };
+    }
+    return { status: 'ok', detail, hint: null };
+  });
+
   // 5. Workspace port
   await guarded('port', `Workspace port :${config.port}`, async () => {
     const inUse = await d.checkPort(config.port);

package/server/src/service.mjs

@@ -24,7 +24,7 @@
 // synced workspace (locked principle #1). Every external touch-point (reg.exe,
 // launchctl, kill) is an injected seam for testability.
 
-import { execFile } from 'node:child_process';
+import { execFile, spawn } from 'node:child_process';
 import { promisify } from 'node:util';
 import fs from 'node:fs';
 import os from 'node:os';
@@ -327,6 +327,102 @@ async function linuxStatus({ dir, systemdUserDir, execFileImpl, probeImpl, port
   return { installed, runValue: installed ? unit : null, supervisorPid, supervisorAlive, serverUp, enabled, active };
 }
 
+// --- self-restart: re-exec the supervisor to load freshly-installed code -----
+//
+// After an auto-update installs new code, the long-lived SUPERVISOR keeps running
+// the OLD code until it restarts — RC1b restarts the server CHILD, never the
+// supervisor parent. That's the go-live "stale-process-after-update chain"
+// (remote-support-and-self-healing-design.md Part 8): the supervisor's daemon-
+// drift recycle logic can't run, so the daemon stays on the old binary and the
+// support channel silently 504s. restartSelf() restarts the supervisor itself,
+// per-OS, so the whole stack lands new code with NO reboot:
+//   - macOS:   launchctl kickstart -k gui/<uid>/<label>  (launchd kills + relaunches us)
+//   - Linux:   systemctl --user restart <unit>           (only when systemd-managed)
+//   - Windows: re-spawn the hidden VBS launcher; the caller then exits so the
+//              successor takes the singleton lock (no service manager to do it).
+//
+// SAFE BY CONSTRUCTION — never kill the only supervisor on a non-managed run:
+//   - mac:   kickstart errors when the job isn't loaded (manual `service run`) →
+//            reported not-restarted, supervisor keeps running (old code, same as
+//            before this feature) rather than dying.
+//   - linux: gated on INVOCATION_ID (systemd sets it for its own services); a
+//            manual run has none → no-op (a `restart` would otherwise spawn a
+//            SECOND supervisor that collides on the singleton lock).
+//   - win:   only re-spawns when the installed launcher exists.
+// On mac/Linux the service manager kills+sequences the restart (no lock race). On
+// Windows the caller exits AFTER we've spawned the successor; the successor's node
+// boot (~hundreds of ms) outlasts the caller's lock release, so it takes over
+// cleanly — and a lost race merely falls back to the next-login launch (no user
+// downtime: the server + daemon are independent processes that keep serving).
+
+async function macRestartSelf({ execFileImpl, uid, label }) {
+  const target = `gui/${uid}/${label}`;
+  try {
+    await execFileImpl('launchctl', ['kickstart', '-k', target]);
+    return { restarted: true, method: 'launchctl-kickstart', target };
+  } catch (e) {
+    return { restarted: false, method: 'launchctl-kickstart', target, error: String(e?.message || e).split('\n')[0] };
+  }
+}
+
+async function linuxRestartSelf({ execFileImpl, env, unit }) {
+  if (!env.INVOCATION_ID) {
+    return { restarted: false, method: 'systemctl', unit, reason: 'not-systemd-managed' };
+  }
+  try {
+    await execFileImpl('systemctl', ['--user', 'restart', unit]);
+    return { restarted: true, method: 'systemctl', unit };
+  } catch (e) {
+    return { restarted: false, method: 'systemctl', unit, error: String(e?.message || e).split('\n')[0] };
+  }
+}
+
+function winRestartSelf({ dir, spawnImpl }) {
+  const vbs = path.join(dir, 'launch-hidden.vbs');
+  if (!fs.existsSync(vbs)) {
+    return { restarted: false, method: 'win-relaunch', reason: 'launcher-absent' };
+  }
+  try {
+    const child = spawnImpl('wscript.exe', [vbs], { detached: true, windowsHide: true, stdio: 'ignore' });
+    child?.unref?.();
+    // willExit: the caller MUST process.exit() so the successor can take the lock.
+    return { restarted: true, method: 'win-relaunch', launcher: vbs, willExit: true };
+  } catch (e) {
+    return { restarted: false, method: 'win-relaunch', launcher: vbs, error: String(e?.message || e).split('\n')[0] };
+  }
+}
+
+/**
+ * Restart the always-on supervisor process so freshly-installed supervisor code
+ * loads (the Part-8 stale-process fix). Returns { restarted, method, ... }; a
+ * `willExit:true` (Windows) tells the caller to process.exit() after we return so
+ * the just-spawned successor can take the singleton lock. Never throws.
+ */
+export async function restartSelf(opts = {}, deps = {}) {
+  const platform = deps.platform || process.platform;
+  // dir (where the Windows launcher lives) may come from the operational opts
+  // (the supervisor passes its configured globalDir) or the test deps.
+  const dir = opts.dir || deps.dir || globalDir();
+  if (platform === 'darwin') {
+    return macRestartSelf({
+      execFileImpl: deps.execFileImpl || execFileP,
+      uid: deps.uid ?? currentUid(),
+      label: deps.label || LAUNCHD_LABEL,
+    });
+  }
+  if (platform === 'linux') {
+    return linuxRestartSelf({
+      execFileImpl: deps.execFileImpl || execFileP,
+      env: deps.env || process.env,
+      unit: deps.unit || SYSTEMD_UNIT,
+    });
+  }
+  if (platform === 'win32') {
+    return winRestartSelf({ dir, spawnImpl: deps.spawnImpl || spawn });
+  }
+  return { restarted: false, supported: false, platform };
+}
+
 // --- public API (platform dispatch) ----------------------------------------
 
 const unsupported = (platform, key) => ({

package/server/src/supervisor.mjs

@@ -26,6 +26,7 @@ import os from 'node:os';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { resolveDaemonVersion } from './daemon-bin.mjs';
+import { restartSelf } from './service.mjs';
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const DEFAULT_SERVER_ENTRY = path.join(__dirname, 'index.mjs');
@@ -83,6 +84,13 @@ export function installedVersion(entry = DEFAULT_SERVER_ENTRY) {
   }
 }
 
+// Captured ONCE at module load = the version of the code THIS supervisor process
+// is running. A fresh installedVersion() reads disk, which moves ahead after an
+// in-place `npm i -g`; the difference is the supervisor's OWN staleness (the
+// Part-8 gap). Distinct from APP_VERSION only in that we read the same file the
+// drift check reads, so they're guaranteed equal at startup (no false drift).
+export const SUPERVISOR_VERSION = installedVersion();
+
 export class WorkspaceSupervisor {
   constructor({
     serverEntry = DEFAULT_SERVER_ENTRY,
@@ -134,6 +142,26 @@ export class WorkspaceSupervisor {
     // under (tracked in `daemon-runtime.json`, since the daemon's /health reports
     // no version). Test seam: inject a version function.
     daemonVersionImpl = () => resolveDaemonVersion({ env }),
+    // Supervisor self-restart after auto-update (the Part-8 stale-process fix):
+    // once an update installs new code and the server child restarts + verifies
+    // healthy, the supervisor must restart ITSELF so its own new code (e.g. the
+    // daemon-drift recycle) loads — RC1b only restarts the child. Per-OS re-exec
+    // lives in service.mjs::restartSelf. On by default; kill switch
+    // WILD_WORKSPACE_NO_SELF_RESTART=1. A cooldown + a once-per-process guard
+    // prevent any restart loop; the delay lets the triggering update tick unwind
+    // and logs flush first. All seams injected (no real exit/spawn in tests).
+    selfRestart = env.WILD_WORKSPACE_NO_SELF_RESTART !== '1',
+    selfRestartCooldownMs = 10 * 60 * 1000,
+    selfRestartDelayMs = 3000,
+    restartSelfImpl = restartSelf,
+    exitImpl = (code = 0) => process.exit(code),
+    scheduleImpl = (fn, ms) => { const t = setTimeout(fn, ms); if (t.unref) t.unref(); return t; },
+    // The version THIS supervisor process is running (captured at module load).
+    // The self-drift backstop self-restarts when the installed-on-disk version
+    // moves ahead of this — covering EVERY update path (our auto-updater, the
+    // operator `update-now`, the CLI `update apply`, a manual `npm i -g`), not
+    // just our own. null disables the backstop (tests default to null).
+    selfVersion = SUPERVISOR_VERSION,
   } = {}) {
     Object.assign(this, {
       serverEntry, workspaceDir, port, globalDir, node, pollMs,
@@ -142,6 +170,8 @@ export class WorkspaceSupervisor {
       autoRestartOnVersionDrift, versionImpl, installedVersionImpl,
       autoUpdate, updatePollMs, autoUpdaterFactory,
       superviseDaemon, daemonPollMs, daemonSupervisorFactory, daemonVersionImpl,
+      selfRestart, selfRestartCooldownMs, selfRestartDelayMs, restartSelfImpl, exitImpl, scheduleImpl,
+      selfVersion,
     });
     this.autoUpdater = null;
     this.updateTimer = null;
@@ -149,6 +179,10 @@ export class WorkspaceSupervisor {
     this.daemonTimer = null;
     this._daemonTicking = false;
     this.daemonRuntimeFile = path.join(globalDir, 'daemon-runtime.json');
+    // Persists the last self-restart time so a fresh post-re-exec supervisor
+    // honours the cooldown too (belt-and-suspenders against a restart loop).
+    this.selfRestartFile = path.join(globalDir, 'self-restart.json');
+    this._selfRestartScheduled = false;
     this.logFile = path.join(globalDir, 'supervisor.log');
     this.serverLogFile = path.join(globalDir, 'server.out.log');
     this.lockFile = path.join(globalDir, 'supervisor.lock');
@@ -243,6 +277,10 @@ export class WorkspaceSupervisor {
       this.restartChild();
       return 'restart-requested';
     }
+    // Part-8 backstop: if disk moved ahead of our own code (any update path),
+    // schedule a supervisor self-restart. Side-effect only — never changes the
+    // tick decision below (server/daemon healing proceeds as usual meanwhile).
+    this.maybeSelfRestartOnDrift();
     if (await this.probeImpl(this.port, this.probeTimeoutMs)) {
       this.backoff = this.backoffStartMs; // healthy → reset backoff
       this.spawnCount = 0; //              healthy → not a crash loop
@@ -347,6 +385,96 @@ export class WorkspaceSupervisor {
     return true;
   }
 
+  /** The last self-restart time (epoch ms), or 0. Used for the loop-guard cooldown. */
+  readLastSelfRestart() {
+    try { return Number(JSON.parse(fs.readFileSync(this.selfRestartFile, 'utf8')).at) || 0; }
+    catch { return 0; }
+  }
+
+  writeLastSelfRestart(at) {
+    try {
+      fs.mkdirSync(this.globalDir, { recursive: true });
+      fs.writeFileSync(this.selfRestartFile, JSON.stringify({ at }));
+    } catch { /* best-effort */ }
+  }
+
+  /**
+   * Schedule a supervisor self-restart so freshly-installed SUPERVISOR code loads
+   * (the Part-8 stale-process fix). Called from the AutoUpdater's onUpdate hook
+   * AFTER an update installed + restarted the server child + verified it healthy —
+   * so a bad release has already rolled back before we re-exec ourselves. Guarded
+   * three ways against a restart loop: the kill switch, a once-per-process flag,
+   * and a persisted cooldown (survives the re-exec). Returns a status string
+   * ('scheduled' | 'disabled' | 'already' | 'cooldown') for tests/logging. The
+   * actual restart runs on a short delay so the triggering tick unwinds first.
+   */
+  scheduleSelfRestart(reason) {
+    if (!this.selfRestart) return 'disabled';
+    if (this._selfRestartScheduled) return 'already';
+    const now = this.nowImpl();
+    const last = this.readLastSelfRestart();
+    if (last && now - last < this.selfRestartCooldownMs) {
+      this.log(`self-restart skipped (cooldown, last ${Math.round((now - last) / 1000)}s ago) — ${reason}`);
+      return 'cooldown';
+    }
+    this._selfRestartScheduled = true;
+    this.writeLastSelfRestart(now);
+    this.log(`self-restart scheduled in ${this.selfRestartDelayMs}ms — ${reason}`);
+    this.scheduleImpl(() => {
+      this._performSelfRestart(reason).catch((e) => this.log(`self-restart error: ${e?.message || e}`));
+    }, this.selfRestartDelayMs);
+    return 'scheduled';
+  }
+
+  /**
+   * Carry out the self-restart. On mac/Linux the service manager kills+relaunches
+   * us (we just issue the command and get SIGTERM'd → our exit handler releases the
+   * lock). On Windows restartSelf spawned a hidden successor and returns
+   * willExit:true — we then release the lock (via stop()) and exit so the successor
+   * can take it. A non-managed run reports restarted:false and we stay up on the
+   * old code (no worse than before this feature). Never throws.
+   */
+  async _performSelfRestart(reason) {
+    this.log(`self-restart now — ${reason}`);
+    let r;
+    try {
+      r = await this.restartSelfImpl({ dir: this.globalDir, port: this.port });
+    } catch (e) {
+      this.log(`self-restart impl error: ${e?.message || e}`);
+      return { restarted: false, error: e?.message || String(e) };
+    }
+    this.log(`self-restart result: ${JSON.stringify(r)}`);
+    if (r && r.willExit) {
+      this.stop(); // clears timers + releases the lock so the successor can take it
+      this.exitImpl(0);
+    }
+    return r;
+  }
+
+  /**
+   * Backstop for the Part-8 gap on EVERY update path, not just our own auto-
+   * updater: when the version installed on disk no longer matches the code THIS
+   * supervisor is running, the supervisor is stale → schedule a self-restart.
+   * RC1b already restarts the stale server child and daemonTick recycles the
+   * stale daemon; this is the missing third leg (the supervisor itself), so an
+   * operator `update-now` / CLI `update apply` / manual `npm i -g` also lands new
+   * supervisor code with no reboot. Skipped while OUR auto-updater is mid-flight
+   * so the rollback window is respected (that path self-restarts via the onUpdate
+   * hook, only after verify succeeds). Cheap (an in-memory compare guarding a disk
+   * read) and idempotent (scheduleSelfRestart de-dupes). Never throws.
+   */
+  maybeSelfRestartOnDrift() {
+    if (!this.selfRestart || !this.selfVersion) return false;
+    if (this._selfRestartScheduled) return false;
+    if (this.autoUpdater && this.autoUpdater.inProgress) return false; // respect rollback window
+    let installed = null;
+    try { installed = this.installedVersionImpl(); } catch { return false; }
+    if (!installed || installed === this.selfVersion) return false;
+    this.log(`supervisor version drift: running=${this.selfVersion} installed=${installed} — self-restarting`);
+    this.scheduleSelfRestart(`supervisor drift ${this.selfVersion}→${installed}`);
+    return true;
+  }
+
   /** Build the AutoUpdater bound to this supervisor. Separated for the test seam. */
   async buildAutoUpdater() {
     if (this.autoUpdaterFactory) return this.autoUpdaterFactory(this);
@@ -362,7 +490,16 @@ export class WorkspaceSupervisor {
       nowImpl: this.nowImpl,
       env: this.env,
       logImpl: (m) => this.log(m),
-      onUpdate: (rec) => this.log(`auto-update result: ${rec.from || '?'}→${rec.to} ${rec.status}`),
+      onUpdate: (rec) => {
+        this.log(`auto-update result: ${rec.from || '?'}→${rec.to} ${rec.status}`);
+        // A genuine version change landed healthy → restart the supervisor itself
+        // so its own new code loads (Part-8 stale-process fix). Guarded against
+        // loops inside scheduleSelfRestart. Fires only on a real bump (to≠from),
+        // never on rollback/failure (those statuses aren't 'ok').
+        if (rec.status === 'ok' && rec.to && rec.from && rec.to !== rec.from) {
+          this.scheduleSelfRestart(`auto-update ${rec.from}→${rec.to}`);
+        }
+      },
     });
   }