@venturewild/workspace 0.3.2 → 0.3.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@venturewild/workspace",
-  "version": "0.3.2",
+  "version": "0.3.4",
   "description": "Claude Code Web — Replit/Lovable-style chat-first browser UI that wraps the AI agent already installed on your machine.",
   "license": "MIT",
   "bin": {

package/server/src/daemon-bin.mjs

@@ -86,3 +86,25 @@ export function resolveDaemonVersion({ env = process.env, requireResolve } = {})
     return null;
   }
 }
+
+/**
+ * The daemon version the INSTALLED meta package PINS for this platform — read
+ * from the meta `package.json`'s optionalDependencies. This is the version
+ * `npm i -g @venturewild/workspace@<v>` is SUPPOSED to have pulled onto disk.
+ * Comparing it to resolveDaemonVersion() catches the go-live failure where the
+ * meta package updated but its daemon optionalDependency on disk lagged behind
+ * (the tangled Windows dev box stuck on the @0.2.0-era daemon). Returns the
+ * pinned version string, or null when it can't be read. Self-contained: reads the
+ * meta package.json that ships two dirs up from this file.
+ */
+export function expectedDaemonVersion({ metaPkgPath } = {}) {
+  const tag = platformTag();
+  try {
+    const pkg = metaPkgPath || path.resolve(__dirname, '..', '..', 'package.json');
+    const parsed = JSON.parse(readFileSync(pkg, 'utf8'));
+    const v = parsed?.optionalDependencies?.[`@venturewild/workspace-daemon-${tag}`];
+    return typeof v === 'string' ? v.replace(/^[~^]/, '') : null;
+  } catch {
+    return null;
+  }
+}

package/server/src/doctor.mjs

@@ -17,12 +17,25 @@ import path from 'node:path';
 import { buildConfig, APP_VERSION } from './config.mjs';
 import { detectAgents, pickDefaultAgent } from './agent.mjs';
 import { probeAgentReadiness } from './agent-readiness.mjs';
-import { resolveDaemonBinary } from './daemon-bin.mjs';
+import { resolveDaemonBinary, resolveDaemonVersion, expectedDaemonVersion } from './daemon-bin.mjs';
 import { checkPort } from './preview.mjs';
 import { loadAccount } from './account.mjs';
 import { serviceStatus } from './service.mjs';
 import { probeHealth, probeHealthVersion } from './supervisor.mjs';
-import { listLogs, diagnosticsDir } from './logpaths.mjs';
+import { listLogs, diagnosticsDir, globalDir } from './logpaths.mjs';
+
+// The daemon version the currently-RUNNING daemon was spawned under — the marker
+// the supervisor writes to ~/.wild-workspace/daemon-runtime.json (the daemon's
+// own /health reports no version). null when unread (never started / no marker).
+function readRunningDaemonVersion(env = process.env) {
+  try {
+    const file = path.join(globalDir(env), 'daemon-runtime.json');
+    const v = JSON.parse(fs.readFileSync(file, 'utf8'))?.daemonVersion;
+    return typeof v === 'string' ? v : null;
+  } catch {
+    return null;
+  }
+}
 
 const STATUS_ICON = { ok: '✅', warn: '⚠️', fail: '❌', info: 'ℹ️' };
 
@@ -93,6 +106,9 @@ export async function runDoctor(opts = {}, deps = {}) {
     listLogs: deps.listLogs || listLogs,
     fetchImpl: deps.fetchImpl || ((...a) => globalThis.fetch(...a)),
     probeRunningVersion: deps.probeRunningVersion || probeHealthVersion,
+    daemonInstalledVersion: deps.daemonInstalledVersion || (() => resolveDaemonVersion({ env })),
+    daemonExpectedVersion: deps.daemonExpectedVersion || (() => expectedDaemonVersion()),
+    daemonRunningVersion: deps.daemonRunningVersion || (() => readRunningDaemonVersion(env)),
   };
   const checks = [];
   const add = (c) => checks.push(c);
@@ -169,6 +185,45 @@ export async function runDoctor(opts = {}, deps = {}) {
     return { status: 'ok', detail: `${r.path} (${r.source})`, hint: null };
   });
 
+  // 4b. Daemon version drift (the go-live stale-process finding, Part 8). Three
+  // versions should agree: what the meta package PINS (expected), what's actually
+  // on disk (installed subpackage), and what the live daemon was spawned under
+  // (running marker). A mismatch is the exact "support channel silently 504s after
+  // an update" chain — the meta package updated but the daemon binary on disk
+  // lagged, or the daemon kept running old code. Surfaced so the fix (reinstall /
+  // restart) is obvious instead of invisible.
+  await guarded('daemonVersion', 'Sync daemon version', async () => {
+    const expected = d.daemonExpectedVersion();
+    const installed = d.daemonInstalledVersion();
+    const running = d.daemonRunningVersion();
+    const bits = [`pinned=${expected || '?'}`, `installed=${installed || 'PATH/vendor'}`, `running=${running || 'not started'}`];
+    const detail = bits.join(' ');
+    // Meta pins a version but the on-disk daemon subpackage is a DIFFERENT one →
+    // `npm i -g` didn't refresh the optionalDependency (the Windows dev box lag).
+    if (expected && installed && expected !== installed) {
+      return {
+        status: 'warn',
+        detail,
+        hint: `The daemon on disk (${installed}) does not match what this version pins (${expected}). Reinstall to refresh it: npm i -g @venturewild/workspace@latest`,
+      };
+    }
+    // The live daemon is running an older binary than what's installed → it needs
+    // a recycle (the always-on supervisor does this on its next tick).
+    if (installed && running && installed !== running) {
+      return {
+        status: 'warn',
+        detail,
+        hint: `The running daemon (${running}) is older than installed (${installed}). Always-on recycles it automatically; or restart sync (\`wild-workspace daemon stop\` then \`wild-workspace\`).`,
+      };
+    }
+    if (!installed) {
+      // PATH/vendor resolution — can't compare versions; the daemonBinary check
+      // above already warns about the missing bundled binary.
+      return { status: 'info', detail, hint: null };
+    }
+    return { status: 'ok', detail, hint: null };
+  });
+
   // 5. Workspace port
   await guarded('port', `Workspace port :${config.port}`, async () => {
     const inUse = await d.checkPort(config.port);

package/server/src/google-vouch.mjs

@@ -0,0 +1,87 @@
+// Google sign-in vouch (req 2) — the LOCAL-server half of "Sign in with Google".
+//
+// Why a vouch at all: Google's OAuth redirect URI must be a single, pre-registered
+// HTTPS URL, and the code exchange needs the client SECRET — neither can live on a
+// per-user, behind-the-tunnel local server. So bmo-sync (the central relay, which
+// already holds the account registry) owns the Google flow: it exchanges the code,
+// reads the user's verified email, checks it against the workspace's OWNER email,
+// and — only on a match — mints a short-lived VOUCH that it hands back to the local
+// server via `<slug>.venturewild.llc/?gv=<vouch>`. The local server verifies the
+// vouch and mints its own durable device token (reusing the same machinery as a
+// device-approval), so the cookie/role/revocation story is unchanged.
+//
+// The trust anchor is a secret BOTH sides already share, with NO new key to
+// distribute: the account token. bmo-sync stores `sha256(account_token)` in hex
+// (accounts.account_token_hash); the local server has the raw account token and
+// derives the same hex. That hex is the HS256 signing key. A third party can't
+// forge a vouch without the account token (or bmo-sync's at-rest hash), and the
+// local server already trusts bmo-sync (it routes all its traffic), so vouching
+// for identity adds no party that wasn't already in the trust base.
+
+import { SignJWT, jwtVerify } from 'jose';
+import { createHash } from 'node:crypto';
+
+export const VOUCH_AUDIENCE = 'wild-workspace-google-vouch';
+export const VOUCH_ISSUER = 'bmo-sync';
+// Vouches are single-hop and consumed immediately on the return redirect, so the
+// lifetime is tiny — long enough to survive the 302 + the SPA's POST, no more.
+export const VOUCH_TTL_SECONDS = 120;
+
+/**
+ * The HS256 key shared with bmo-sync: the lowercase-hex sha256 of the account
+ * token, exactly as bmo-sync stores it in `accounts.account_token_hash`
+ * (routes/slug.rs::hash_token = `hex::encode(Sha256::digest(token))`). Returns
+ * null when the install has no account token (not slug-linked → no Google sign-in).
+ */
+export function vouchKey(accountToken) {
+  if (!accountToken) return null;
+  const hex = createHash('sha256').update(String(accountToken)).digest('hex');
+  return new TextEncoder().encode(hex);
+}
+
+/**
+ * Mint a Google vouch (HS256). This is the contract bmo-sync implements in Rust;
+ * we keep a JS minter so the local-server verifier can be tested round-trip and
+ * the claim shape has one source of truth. NOT used in production by the server.
+ */
+export async function mintGoogleVouch({ accountToken, email, slug, nowSec = Math.floor(Date.now() / 1000), ttlSeconds = VOUCH_TTL_SECONDS }) {
+  const key = vouchKey(accountToken);
+  if (!key) throw new Error('no account token');
+  return new SignJWT({ email: String(email), slug: slug ? String(slug) : undefined })
+    .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
+    .setIssuer(VOUCH_ISSUER)
+    .setAudience(VOUCH_AUDIENCE)
+    .setIssuedAt(nowSec)
+    .setExpirationTime(nowSec + ttlSeconds)
+    .sign(key);
+}
+
+/**
+ * Verify a Google vouch against this install's account token. Returns
+ * `{ ok: true, email, slug }` or `{ ok: false, reason }`. Never throws. The caller
+ * still enforces that `email` matches the configured owner email + `slug` matches
+ * this install — the vouch only proves "bmo-sync verified this Google identity for
+ * this account", not "this is the owner".
+ */
+export async function verifyGoogleVouch(token, accountToken) {
+  const key = vouchKey(accountToken);
+  if (!token || !key) return { ok: false, reason: 'no-token-or-key' };
+  try {
+    const { payload } = await jwtVerify(token, key, {
+      issuer: VOUCH_ISSUER,
+      audience: VOUCH_AUDIENCE,
+    });
+    if (!payload.email || typeof payload.email !== 'string') {
+      return { ok: false, reason: 'no-email' };
+    }
+    return { ok: true, email: payload.email, slug: typeof payload.slug === 'string' ? payload.slug : null };
+  } catch (e) {
+    // jose throws on bad signature / expiry / aud-iss mismatch — all "not valid".
+    return { ok: false, reason: e?.code || 'invalid' };
+  }
+}
+
+/** Case-insensitive owner-email match (Google emails are case-insensitive). */
+export function emailMatches(a, b) {
+  return Boolean(a) && Boolean(b) && String(a).trim().toLowerCase() === String(b).trim().toLowerCase();
+}

package/server/src/index.mjs

@@ -30,6 +30,7 @@ import {
   TokenRegistry,
 } from './share.mjs';
 import { PairingStore } from './pairing.mjs';
+import { verifyGoogleVouch, emailMatches } from './google-vouch.mjs';
 import { listDir, readFile, fullTree, workspaceSummary, safeResolve } from './fs.mjs';
 import { InboxWatcher } from './inbox.mjs';
 import { ActivityBus } from './activity.mjs';
@@ -588,6 +589,14 @@ export async function createServer(overrides = {}) {
     return attrs.join('; ');
   }
 
+  // The host-owner loopback grant (req 1) is only sound when the server is BOUND
+  // to loopback — then the port is reachable solely by on-host processes, so the
+  // (client-controlled) Host header can't be spoofed from the network. On a
+  // 0.0.0.0 / public bind we must NOT trust loopback-looking headers; tokens only.
+  const isLocalBind = ['127.0.0.1', 'localhost', '::1', '[::1]'].includes(
+    String(config.host || '127.0.0.1').toLowerCase(),
+  );
+
   // --- auth + role resolution ---
   async function resolveRole(c) {
     // 1. Authorization: Bearer — the only path that may carry the operator token.
@@ -619,7 +628,16 @@ export async function createServer(overrides = {}) {
     if (!config.publicMode) {
       return { role: ROLES.PARTNER, sub: 'local-partner', source: 'localhost' };
     }
-    // Public mode with no valid token: deny. No anonymous viewer access —
+    // Host-machine owner over GENUINE loopback (req 1: "same machine = no
+    // approval"). The owner opens localhost on the box that runs the workspace and
+    // is in — no device-approval. A tunneled visitor can never reach this: the
+    // relay stamps x-forwarded-host on every tunneled request (rejected by
+    // loopbackHeaders) and the server binds loopback. The only thing trusted here
+    // is an on-host process, which already holds the owner's files + secrets.
+    if (isLocalBind && isGenuineLoopback(c)) {
+      return { role: ROLES.PARTNER, sub: 'local-owner', source: 'loopback' };
+    }
+    // Public mode, not local, no valid token: deny. No anonymous viewer access —
     // a share JWT or the partner token is required. (Concern C1.)
     return { role: null, sub: 'anon', source: 'unauth', denied: true };
   }
@@ -692,6 +710,10 @@ export async function createServer(overrides = {}) {
     // request can reach it; the handler itself 404s anything that isn't real
     // loopback, so a public visitor can never use it.
     '/api/auth/bootstrap',
+    // Google sign-in return (req 2). A browser coming back from Google has no
+    // workspace token yet — it carries a bmo-sync vouch, which the handler
+    // verifies (an invalid vouch is rejected there), so being public is safe.
+    '/api/auth/google',
   ]);
   app.use('*', async (c, next) => {
     const session = await resolveRole(c);
@@ -760,14 +782,22 @@ export async function createServer(overrides = {}) {
   // with no forwarding headers + a loopback Host. (B1 — basis for first-device
   // bootstrap. A local process already has the user's filesystem + secrets, so
   // trusting it grants nothing it didn't already have.)
-  function isGenuineLoopback(c) {
-    const h = (n) => c.req.header(n);
-    if (h('x-forwarded-for') || h('x-forwarded-host') || h('x-forwarded-proto') || h('x-real-ip')) {
+  // Shared loopback predicate over a header getter — reused by the Hono path
+  // (isGenuineLoopback) and the raw-Node WS upgrade path (req.headers). A GENUINE
+  // local request carries NONE of the relay's forwarding headers (bmo-sync strips
+  // any client-supplied X-Forwarded-*/X-Real-IP and stamps its own on every
+  // tunneled request, so they can't be faked from the internet) and has a loopback
+  // Host. The server binds loopback, so only an on-host process can produce this.
+  function loopbackHeaders(get) {
+    if (get('x-forwarded-for') || get('x-forwarded-host') || get('x-forwarded-proto') || get('x-real-ip')) {
       return false;
     }
-    const hostname = String(h('host') || '').toLowerCase().split(':')[0];
+    const hostname = String(get('host') || '').toLowerCase().split(':')[0];
     return hostname === '127.0.0.1' || hostname === 'localhost' || hostname === '::1' || hostname === '[::1]';
   }
+  function isGenuineLoopback(c) {
+    return loopbackHeaders((n) => c.req.header(n));
+  }
 
   // --- auth: first-device bootstrap (B1) -------------------------------------
   // The everyday problem: a brand-new owner runs `wild-workspace` and wants to
@@ -862,6 +892,47 @@ export async function createServer(overrides = {}) {
     return c.json({ ok: true, role: session.role, cookie: true });
   });
 
+  // Google sign-in return (req 2). bmo-sync ran the Google OAuth centrally, checked
+  // the verified email against THIS account's owner, and handed the browser back a
+  // short-lived vouch via <slug>.venturewild.llc/?gv=<vouch>. The SPA POSTs it here;
+  // we verify it against the shared account secret, re-confirm the owner email +
+  // slug, then mint the SAME durable, individually-revocable device token a device
+  // approval would — so any device the owner signs into with Google is in, no
+  // second-device approval and no nag. Public-allowlisted: the vouch IS the
+  // credential, so an invalid one is rejected here (401/403), never trusted.
+  app.post('/api/auth/google', async (c) => {
+    // accountToken is kept top-level on config (out of the broadcast config.account).
+    if (!config.accountToken) {
+      return c.json({ error: 'not-linked' }, 400); // not slug-linked → no Google sign-in
+    }
+    let body = {};
+    try { body = await c.req.json(); } catch { /* empty body ok */ }
+    const vouch = typeof body.vouch === 'string' ? body.vouch : c.req.query('gv');
+    const v = await verifyGoogleVouch(vouch, config.accountToken);
+    if (!v.ok) {
+      log('[auth]', `google vouch rejected: ${v.reason}`);
+      return c.json({ error: 'invalid-vouch' }, 401);
+    }
+    // The vouch proves "bmo-sync verified this Google identity for this account".
+    // Re-enforce that it's the OWNER of THIS install (email + slug) so a vouch
+    // minted for another workspace can't be replayed here.
+    if (!emailMatches(v.email, config.account.email)) {
+      log('[auth]', `google vouch email mismatch (${v.email})`);
+      return c.json({ error: 'not-owner' }, 403);
+    }
+    if (v.slug && config.account.slug && v.slug !== config.account.slug) {
+      return c.json({ error: 'wrong-workspace' }, 403);
+    }
+    const device = await mintDeviceToken({ secret: config.shareSecret, workspaceId: config.workspaceId });
+    tokenRegistry.add({ ...device, kind: 'device', label: `Google (${v.email})`, createdAt: Date.now() });
+    const now = Math.floor(Date.now() / 1000);
+    const maxAge = Math.max(60, device.exp - now);
+    c.header('Set-Cookie', authCookieAttrs(device.token, maxAge));
+    auditAction(c, 'google-signin', `email=${v.email} sub=${device.sub}`);
+    log('[auth]', `google sign-in → durable device sub=${device.sub} email=${v.email} ttl=${maxAge}s`);
+    return c.json({ ok: true, role: 'partner', cookie: true });
+  });
+
   app.post('/api/auth/logout', (c) => {
     c.header('Set-Cookie', authCookieAttrs('', 0));
     return c.json({ ok: true });
@@ -2078,6 +2149,11 @@ export async function createServer(overrides = {}) {
     } else if (!cookieToken && !tokenFromQuery && !config.publicMode) {
       role = ROLES.PARTNER;
       sub = 'local-partner';
+    } else if (!cookieToken && !tokenFromQuery && isLocalBind && loopbackHeaders((n) => req.headers[n])) {
+      // Host-machine owner over genuine loopback (req 1) — mirror resolveRole so
+      // the chat WS works for the local owner with no token, same as the SPA.
+      role = ROLES.PARTNER;
+      sub = 'local-owner';
     }
     // Deny: public mode with no token, or any invalid/revoked token. An
     // invalid token must NOT silently fall back to partner. (Concern C1.)

package/server/src/service.mjs

@@ -24,7 +24,7 @@
 // synced workspace (locked principle #1). Every external touch-point (reg.exe,
 // launchctl, kill) is an injected seam for testability.
 
-import { execFile } from 'node:child_process';
+import { execFile, spawn } from 'node:child_process';
 import { promisify } from 'node:util';
 import fs from 'node:fs';
 import os from 'node:os';
@@ -327,6 +327,102 @@ async function linuxStatus({ dir, systemdUserDir, execFileImpl, probeImpl, port
   return { installed, runValue: installed ? unit : null, supervisorPid, supervisorAlive, serverUp, enabled, active };
 }
 
+// --- self-restart: re-exec the supervisor to load freshly-installed code -----
+//
+// After an auto-update installs new code, the long-lived SUPERVISOR keeps running
+// the OLD code until it restarts — RC1b restarts the server CHILD, never the
+// supervisor parent. That's the go-live "stale-process-after-update chain"
+// (remote-support-and-self-healing-design.md Part 8): the supervisor's daemon-
+// drift recycle logic can't run, so the daemon stays on the old binary and the
+// support channel silently 504s. restartSelf() restarts the supervisor itself,
+// per-OS, so the whole stack lands new code with NO reboot:
+//   - macOS:   launchctl kickstart -k gui/<uid>/<label>  (launchd kills + relaunches us)
+//   - Linux:   systemctl --user restart <unit>           (only when systemd-managed)
+//   - Windows: re-spawn the hidden VBS launcher; the caller then exits so the
+//              successor takes the singleton lock (no service manager to do it).
+//
+// SAFE BY CONSTRUCTION — never kill the only supervisor on a non-managed run:
+//   - mac:   kickstart errors when the job isn't loaded (manual `service run`) →
+//            reported not-restarted, supervisor keeps running (old code, same as
+//            before this feature) rather than dying.
+//   - linux: gated on INVOCATION_ID (systemd sets it for its own services); a
+//            manual run has none → no-op (a `restart` would otherwise spawn a
+//            SECOND supervisor that collides on the singleton lock).
+//   - win:   only re-spawns when the installed launcher exists.
+// On mac/Linux the service manager kills+sequences the restart (no lock race). On
+// Windows the caller exits AFTER we've spawned the successor; the successor's node
+// boot (~hundreds of ms) outlasts the caller's lock release, so it takes over
+// cleanly — and a lost race merely falls back to the next-login launch (no user
+// downtime: the server + daemon are independent processes that keep serving).
+
+async function macRestartSelf({ execFileImpl, uid, label }) {
+  const target = `gui/${uid}/${label}`;
+  try {
+    await execFileImpl('launchctl', ['kickstart', '-k', target]);
+    return { restarted: true, method: 'launchctl-kickstart', target };
+  } catch (e) {
+    return { restarted: false, method: 'launchctl-kickstart', target, error: String(e?.message || e).split('\n')[0] };
+  }
+}
+
+async function linuxRestartSelf({ execFileImpl, env, unit }) {
+  if (!env.INVOCATION_ID) {
+    return { restarted: false, method: 'systemctl', unit, reason: 'not-systemd-managed' };
+  }
+  try {
+    await execFileImpl('systemctl', ['--user', 'restart', unit]);
+    return { restarted: true, method: 'systemctl', unit };
+  } catch (e) {
+    return { restarted: false, method: 'systemctl', unit, error: String(e?.message || e).split('\n')[0] };
+  }
+}
+
+function winRestartSelf({ dir, spawnImpl }) {
+  const vbs = path.join(dir, 'launch-hidden.vbs');
+  if (!fs.existsSync(vbs)) {
+    return { restarted: false, method: 'win-relaunch', reason: 'launcher-absent' };
+  }
+  try {
+    const child = spawnImpl('wscript.exe', [vbs], { detached: true, windowsHide: true, stdio: 'ignore' });
+    child?.unref?.();
+    // willExit: the caller MUST process.exit() so the successor can take the lock.
+    return { restarted: true, method: 'win-relaunch', launcher: vbs, willExit: true };
+  } catch (e) {
+    return { restarted: false, method: 'win-relaunch', launcher: vbs, error: String(e?.message || e).split('\n')[0] };
+  }
+}
+
+/**
+ * Restart the always-on supervisor process so freshly-installed supervisor code
+ * loads (the Part-8 stale-process fix). Returns { restarted, method, ... }; a
+ * `willExit:true` (Windows) tells the caller to process.exit() after we return so
+ * the just-spawned successor can take the singleton lock. Never throws.
+ */
+export async function restartSelf(opts = {}, deps = {}) {
+  const platform = deps.platform || process.platform;
+  // dir (where the Windows launcher lives) may come from the operational opts
+  // (the supervisor passes its configured globalDir) or the test deps.
+  const dir = opts.dir || deps.dir || globalDir();
+  if (platform === 'darwin') {
+    return macRestartSelf({
+      execFileImpl: deps.execFileImpl || execFileP,
+      uid: deps.uid ?? currentUid(),
+      label: deps.label || LAUNCHD_LABEL,
+    });
+  }
+  if (platform === 'linux') {
+    return linuxRestartSelf({
+      execFileImpl: deps.execFileImpl || execFileP,
+      env: deps.env || process.env,
+      unit: deps.unit || SYSTEMD_UNIT,
+    });
+  }
+  if (platform === 'win32') {
+    return winRestartSelf({ dir, spawnImpl: deps.spawnImpl || spawn });
+  }
+  return { restarted: false, supported: false, platform };
+}
+
 // --- public API (platform dispatch) ----------------------------------------
 
 const unsupported = (platform, key) => ({

package/server/src/supervisor.mjs

@@ -26,6 +26,7 @@ import os from 'node:os';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { resolveDaemonVersion } from './daemon-bin.mjs';
+import { restartSelf } from './service.mjs';
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const DEFAULT_SERVER_ENTRY = path.join(__dirname, 'index.mjs');
@@ -83,6 +84,13 @@ export function installedVersion(entry = DEFAULT_SERVER_ENTRY) {
   }
 }
 
+// Captured ONCE at module load = the version of the code THIS supervisor process
+// is running. A fresh installedVersion() reads disk, which moves ahead after an
+// in-place `npm i -g`; the difference is the supervisor's OWN staleness (the
+// Part-8 gap). Distinct from APP_VERSION only in that we read the same file the
+// drift check reads, so they're guaranteed equal at startup (no false drift).
+export const SUPERVISOR_VERSION = installedVersion();
+
 export class WorkspaceSupervisor {
   constructor({
     serverEntry = DEFAULT_SERVER_ENTRY,
@@ -134,6 +142,26 @@ export class WorkspaceSupervisor {
     // under (tracked in `daemon-runtime.json`, since the daemon's /health reports
     // no version). Test seam: inject a version function.
     daemonVersionImpl = () => resolveDaemonVersion({ env }),
+    // Supervisor self-restart after auto-update (the Part-8 stale-process fix):
+    // once an update installs new code and the server child restarts + verifies
+    // healthy, the supervisor must restart ITSELF so its own new code (e.g. the
+    // daemon-drift recycle) loads — RC1b only restarts the child. Per-OS re-exec
+    // lives in service.mjs::restartSelf. On by default; kill switch
+    // WILD_WORKSPACE_NO_SELF_RESTART=1. A cooldown + a once-per-process guard
+    // prevent any restart loop; the delay lets the triggering update tick unwind
+    // and logs flush first. All seams injected (no real exit/spawn in tests).
+    selfRestart = env.WILD_WORKSPACE_NO_SELF_RESTART !== '1',
+    selfRestartCooldownMs = 10 * 60 * 1000,
+    selfRestartDelayMs = 3000,
+    restartSelfImpl = restartSelf,
+    exitImpl = (code = 0) => process.exit(code),
+    scheduleImpl = (fn, ms) => { const t = setTimeout(fn, ms); if (t.unref) t.unref(); return t; },
+    // The version THIS supervisor process is running (captured at module load).
+    // The self-drift backstop self-restarts when the installed-on-disk version
+    // moves ahead of this — covering EVERY update path (our auto-updater, the
+    // operator `update-now`, the CLI `update apply`, a manual `npm i -g`), not
+    // just our own. null disables the backstop (tests default to null).
+    selfVersion = SUPERVISOR_VERSION,
   } = {}) {
     Object.assign(this, {
       serverEntry, workspaceDir, port, globalDir, node, pollMs,
@@ -142,6 +170,8 @@ export class WorkspaceSupervisor {
       autoRestartOnVersionDrift, versionImpl, installedVersionImpl,
       autoUpdate, updatePollMs, autoUpdaterFactory,
       superviseDaemon, daemonPollMs, daemonSupervisorFactory, daemonVersionImpl,
+      selfRestart, selfRestartCooldownMs, selfRestartDelayMs, restartSelfImpl, exitImpl, scheduleImpl,
+      selfVersion,
     });
     this.autoUpdater = null;
     this.updateTimer = null;
@@ -149,6 +179,10 @@ export class WorkspaceSupervisor {
     this.daemonTimer = null;
     this._daemonTicking = false;
     this.daemonRuntimeFile = path.join(globalDir, 'daemon-runtime.json');
+    // Persists the last self-restart time so a fresh post-re-exec supervisor
+    // honours the cooldown too (belt-and-suspenders against a restart loop).
+    this.selfRestartFile = path.join(globalDir, 'self-restart.json');
+    this._selfRestartScheduled = false;
     this.logFile = path.join(globalDir, 'supervisor.log');
     this.serverLogFile = path.join(globalDir, 'server.out.log');
     this.lockFile = path.join(globalDir, 'supervisor.lock');
@@ -243,6 +277,10 @@ export class WorkspaceSupervisor {
       this.restartChild();
       return 'restart-requested';
     }
+    // Part-8 backstop: if disk moved ahead of our own code (any update path),
+    // schedule a supervisor self-restart. Side-effect only — never changes the
+    // tick decision below (server/daemon healing proceeds as usual meanwhile).
+    this.maybeSelfRestartOnDrift();
     if (await this.probeImpl(this.port, this.probeTimeoutMs)) {
       this.backoff = this.backoffStartMs; // healthy → reset backoff
       this.spawnCount = 0; //              healthy → not a crash loop
@@ -347,6 +385,96 @@ export class WorkspaceSupervisor {
     return true;
   }
 
+  /** The last self-restart time (epoch ms), or 0. Used for the loop-guard cooldown. */
+  readLastSelfRestart() {
+    try { return Number(JSON.parse(fs.readFileSync(this.selfRestartFile, 'utf8')).at) || 0; }
+    catch { return 0; }
+  }
+
+  writeLastSelfRestart(at) {
+    try {
+      fs.mkdirSync(this.globalDir, { recursive: true });
+      fs.writeFileSync(this.selfRestartFile, JSON.stringify({ at }));
+    } catch { /* best-effort */ }
+  }
+
+  /**
+   * Schedule a supervisor self-restart so freshly-installed SUPERVISOR code loads
+   * (the Part-8 stale-process fix). Called from the AutoUpdater's onUpdate hook
+   * AFTER an update installed + restarted the server child + verified it healthy —
+   * so a bad release has already rolled back before we re-exec ourselves. Guarded
+   * three ways against a restart loop: the kill switch, a once-per-process flag,
+   * and a persisted cooldown (survives the re-exec). Returns a status string
+   * ('scheduled' | 'disabled' | 'already' | 'cooldown') for tests/logging. The
+   * actual restart runs on a short delay so the triggering tick unwinds first.
+   */
+  scheduleSelfRestart(reason) {
+    if (!this.selfRestart) return 'disabled';
+    if (this._selfRestartScheduled) return 'already';
+    const now = this.nowImpl();
+    const last = this.readLastSelfRestart();
+    if (last && now - last < this.selfRestartCooldownMs) {
+      this.log(`self-restart skipped (cooldown, last ${Math.round((now - last) / 1000)}s ago) — ${reason}`);
+      return 'cooldown';
+    }
+    this._selfRestartScheduled = true;
+    this.writeLastSelfRestart(now);
+    this.log(`self-restart scheduled in ${this.selfRestartDelayMs}ms — ${reason}`);
+    this.scheduleImpl(() => {
+      this._performSelfRestart(reason).catch((e) => this.log(`self-restart error: ${e?.message || e}`));
+    }, this.selfRestartDelayMs);
+    return 'scheduled';
+  }
+
+  /**
+   * Carry out the self-restart. On mac/Linux the service manager kills+relaunches
+   * us (we just issue the command and get SIGTERM'd → our exit handler releases the
+   * lock). On Windows restartSelf spawned a hidden successor and returns
+   * willExit:true — we then release the lock (via stop()) and exit so the successor
+   * can take it. A non-managed run reports restarted:false and we stay up on the
+   * old code (no worse than before this feature). Never throws.
+   */
+  async _performSelfRestart(reason) {
+    this.log(`self-restart now — ${reason}`);
+    let r;
+    try {
+      r = await this.restartSelfImpl({ dir: this.globalDir, port: this.port });
+    } catch (e) {
+      this.log(`self-restart impl error: ${e?.message || e}`);
+      return { restarted: false, error: e?.message || String(e) };
+    }
+    this.log(`self-restart result: ${JSON.stringify(r)}`);
+    if (r && r.willExit) {
+      this.stop(); // clears timers + releases the lock so the successor can take it
+      this.exitImpl(0);
+    }
+    return r;
+  }
+
+  /**
+   * Backstop for the Part-8 gap on EVERY update path, not just our own auto-
+   * updater: when the version installed on disk no longer matches the code THIS
+   * supervisor is running, the supervisor is stale → schedule a self-restart.
+   * RC1b already restarts the stale server child and daemonTick recycles the
+   * stale daemon; this is the missing third leg (the supervisor itself), so an
+   * operator `update-now` / CLI `update apply` / manual `npm i -g` also lands new
+   * supervisor code with no reboot. Skipped while OUR auto-updater is mid-flight
+   * so the rollback window is respected (that path self-restarts via the onUpdate
+   * hook, only after verify succeeds). Cheap (an in-memory compare guarding a disk
+   * read) and idempotent (scheduleSelfRestart de-dupes). Never throws.
+   */
+  maybeSelfRestartOnDrift() {
+    if (!this.selfRestart || !this.selfVersion) return false;
+    if (this._selfRestartScheduled) return false;
+    if (this.autoUpdater && this.autoUpdater.inProgress) return false; // respect rollback window
+    let installed = null;
+    try { installed = this.installedVersionImpl(); } catch { return false; }
+    if (!installed || installed === this.selfVersion) return false;
+    this.log(`supervisor version drift: running=${this.selfVersion} installed=${installed} — self-restarting`);
+    this.scheduleSelfRestart(`supervisor drift ${this.selfVersion}→${installed}`);
+    return true;
+  }
+
   /** Build the AutoUpdater bound to this supervisor. Separated for the test seam. */
   async buildAutoUpdater() {
     if (this.autoUpdaterFactory) return this.autoUpdaterFactory(this);
@@ -362,7 +490,16 @@ export class WorkspaceSupervisor {
       nowImpl: this.nowImpl,
       env: this.env,
       logImpl: (m) => this.log(m),
-      onUpdate: (rec) => this.log(`auto-update result: ${rec.from || '?'}→${rec.to} ${rec.status}`),
+      onUpdate: (rec) => {
+        this.log(`auto-update result: ${rec.from || '?'}→${rec.to} ${rec.status}`);
+        // A genuine version change landed healthy → restart the supervisor itself
+        // so its own new code loads (Part-8 stale-process fix). Guarded against
+        // loops inside scheduleSelfRestart. Fires only on a real bump (to≠from),
+        // never on rollback/failure (those statuses aren't 'ok').
+        if (rec.status === 'ok' && rec.to && rec.from && rec.to !== rec.from) {
+          this.scheduleSelfRestart(`auto-update ${rec.from}→${rec.to}`);
+        }
+      },
     });
   }
 
@@ -469,7 +606,7 @@ export class WorkspaceSupervisor {
     process.on('exit', () => this.releaseLock());
     process.on('SIGTERM', () => process.exit(0));
     process.on('SIGINT', () => process.exit(0));
-    this.log(`supervisor start pid=${process.pid} watching http://127.0.0.1:${this.port}/api/health (workspace=${this.workspaceDir})`);
+    this.log(`supervisor start pid=${process.pid} v${this.selfVersion || '?'} watching http://127.0.0.1:${this.port}/api/health (workspace=${this.workspaceDir})`);
     this.timer = setInterval(() => { this.tick().catch((e) => this.log(`tick error: ${e?.message || e}`)); }, this.pollMs);
     this.tick().catch((e) => this.log(`tick error: ${e?.message || e}`));