@venturewild/workspace 0.6.17 → 0.6.19

package/server/src/index.mjs

@@ -85,6 +85,7 @@ import { getOperatorToken } from './operator.mjs';
 import { runDoctor } from './doctor.mjs';
 import { appendLine, tailFile, logFile, listLogs, TAILABLE, globalDir } from './logpaths.mjs';
 import { createBackgroundTasks } from './background-tasks.mjs';
+import { createTickets } from './support/tickets.mjs';
 import { SessionReporter } from './session-reporter.mjs';
 import { TranscriptRecorder } from './transcript.mjs';
 import { loadObservabilityConsent, setObservabilityConsent } from './observability.mjs';
@@ -509,6 +510,32 @@ export async function createServer(overrides = {}) {
     ? { mcpConfigPath: turnMcpConfig, strictMcp: true, appendSystemPrompt: TURN_SYSTEM_PROMPT }
     : {};
 
+  // Per-session GLM (items 13/14): a GLM chat is the CLAUDE binary with GLM env
+  // injected at spawn (so --resume / --mcp-config / canvas+bazaar tools all survive) —
+  // NOT the bare `glm` wrapper agent. Mirrors ~/.local/bin/glm exactly. Returns null
+  // if no key is connected, so a GLM turn degrades to an honest "connect GLM" error
+  // rather than silently running as Claude. The key NEVER leaves this env.
+  function glmEnv() {
+    try {
+      const keyFile = process.env.GLM_KEY_FILE || path.join(config.home, '.glm-key');
+      const key = readFileSync(keyFile, 'utf8').replace(/\s+/g, '');
+      if (!key) return null;
+      return {
+        ANTHROPIC_BASE_URL: 'https://api.z.ai/api/anthropic',
+        ANTHROPIC_AUTH_TOKEN: key,
+        ANTHROPIC_MODEL: process.env.GLM_MODEL || 'glm-5.1',
+        ANTHROPIC_SMALL_FAST_MODEL: process.env.GLM_SMALL_MODEL || 'glm-4.5-air',
+        DISABLE_TELEMETRY: '1',
+        DISABLE_ERROR_REPORTING: '1',
+      };
+    } catch {
+      return null;
+    }
+  }
+  function glmConnected() {
+    return glmEnv() != null;
+  }
+
   // --- chat turn orchestration ----------------------------------------------
   // One conversation per workspace in v1 (single-user, single tab — PRD §5.5).
   // Both user sends and auto-wake turns thread through one turn-runner so they
@@ -595,6 +622,29 @@ export async function createServer(overrides = {}) {
   // The registry persists ACROSS turns (a background job outlives the `claude -p`
   // process that spawned it), so it lives here in server scope — never per-session.
   const bgTasks = createBackgroundTasks({ broadcast: broadcastTask });
+  // Feature/bug ticketing (item 7) — shared store with the support MCP (file_ticket),
+  // read by the Requests block + best-effort synced to the VentureWild team.
+  const tickets = createTickets({ env: { WILD_WORKSPACE_GLOBAL_DIR: path.dirname(bazaar.dir) } });
+  // Best-effort, degrade-never push of a ticket to bmo-sync (the team's tracker). If
+  // the route isn't deployed yet (or we're on localhost), this silently no-ops and the
+  // ticket still lives locally + shows in the Requests block (the locked degrade).
+  function syncTicket(rec) {
+    const baseUrl = config.bmoSyncUrl;
+    if (!baseUrl || baseUrl.startsWith('http://127') || baseUrl.startsWith('http://localhost')) return;
+    const ctrl = new AbortController();
+    const t = setTimeout(() => ctrl.abort(), 5000);
+    fetch(`${baseUrl.replace(/\/$/, '')}/api/tickets`, {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({
+        account_token: config.accountToken || null,
+        slug: config.account?.slug || null,
+        ticket: rec,
+      }),
+      signal: ctrl.signal,
+    }).catch(() => { /* degrade-never — local store is the source of truth */ })
+      .finally(() => clearTimeout(t));
+  }
 
   /**
    * Run one chat turn: spawn the agent, stream every chunk to every chat
@@ -635,6 +685,22 @@ export async function createServer(overrides = {}) {
     // the stored level + the per-message toggle through resolveAutonomyMode, whose
     // guardrail guarantees an unbuilt/unknown level can NEVER become bypassPermissions.
     if (!auto) mode = resolveAutonomyMode(settings.getAutonomyLevel(), mode);
+    // Per-session provider (items 13/14): look up THIS session's provider (locked at
+    // creation). GLM = the claude binary + GLM env; Claude = no override. The provider
+    // also drives the context-window denominator (item 3) — Claude 1M, GLM 200k.
+    const sessionId = threadId || MAIN_SESSION_ID;
+    const sessionStore = createChatSessions({ dataDir: workspace.dataDir });
+    let sessProvider = 'claude';
+    try { sessProvider = sessionStore.get(sessionId)?.provider || 'claude'; } catch { /* default claude */ }
+    const providerEnv = sessProvider === 'glm' ? glmEnv() : null;
+    if (sessProvider === 'glm' && !providerEnv && !auto) {
+      broadcastChat({
+        type: 'error',
+        messageId: id,
+        message: "GLM isn't connected on this machine. Add your GLM key in Settings → Providers to use a GLM chat.",
+      }, workspace.id, threadId);
+      return false;
+    }
     // Per-thread conversation (C3 on top of lobby M1): resume THIS thread's claude
     // session from the workspace dataDir, and tag every frame with the workspace +
     // thread so it streams only to the matching chat block.
@@ -647,18 +713,20 @@ export async function createServer(overrides = {}) {
     });
 
     let retried = false;
+    let lastContext = null; // freshest per-session context gauge, persisted on turn end
     const startTurn = () => {
       const startedAt = Date.now();
-      log('[chat]', `turn-begin id=${id} auto=${auto} mode=${mode || 'build'} promptChars=${(prompt || '').length}`);
+      log('[chat]', `turn-begin id=${id} auto=${auto} provider=${sessProvider} mode=${mode || 'build'} promptChars=${(prompt || '').length}`);
       const session = new AgentSession(activeAgent);
       currentTurns.set(key, { session, messageId: id, workspaceId: workspace.id, threadId });
       let sawError = false;
       session.on('chunk', (chunk) => {
         // The per-turn context signal (working-memory gauge, §8) feeds the usage
         // service, which pushes a `usage` WS frame. It's server-internal metadata —
-        // keep it OFF the chat stream so it never renders as an empty bubble.
+        // keep it OFF the chat stream so it never renders as an empty bubble. The
+        // window is provider-aware (item 3) — Claude 1M / GLM 200k.
         if (chunk.type === 'context' && chunk.usage) {
-          usage.setContext(chunk.usage, chunk.model);
+          lastContext = usage.setContext(chunk.usage, chunk.model, sessProvider);
           return;
         }
         if (chunk.type === 'error') sawError = true;
@@ -733,7 +801,10 @@ export async function createServer(overrides = {}) {
         // Keep the session list's recency honest even when the turn was driven from
         // another device (the message PUT is client-driven; this is server-side).
         try {
-          createChatSessions({ dataDir: workspace.dataDir }).touch(threadId || MAIN_SESSION_ID);
+          sessionStore.touch(sessionId);
+          // Persist this session's context gauge so the sidebar chip shows it even
+          // without a live turn (item 3).
+          if (lastContext) sessionStore.setContext(sessionId, lastContext);
         } catch { /* best-effort — never break a turn on a registry hiccup */ }
         broadcastChat({ type: 'end', messageId: id, code }, workspace.id, threadId);
         activityBus.publish({ type: 'chat-end', messageId: id, code });
@@ -742,6 +813,9 @@ export async function createServer(overrides = {}) {
         cwd: workspace.dir,
         mode,
         resumeSessionId: resumeId,
+        // GLM session → inject the GLM env onto the claude binary (item 14). Claude
+        // session → no override (uses the machine's Claude OAuth).
+        ...(providerEnv ? { env: providerEnv } : {}),
         // Auto-wake (import integration, plan mode) stays bazaar-free; only the
         // user's own turns get the marketplace tools + disposition.
         ...(auto ? {} : turnCtx),
@@ -1067,6 +1141,27 @@ export async function createServer(overrides = {}) {
     c.json({ status: 'ok', version: APP_VERSION, ts: Date.now() }),
   );
 
+  // Detect an EXISTING agent setup in a folder (item 15) — a CLAUDE.md, a .claude
+  // dir, .claude/agents, or AGENTS.md. When present, onboarding offers "adopt" instead
+  // of asking the user to create a parallel agent. We ONLY read these markers — the
+  // onboarding/identity path never writes to them (the kept invariant; identity lives
+  // in the sync-ignored <repo>/.wild-workspace scratch).
+  function detectExistingSetup(dir) {
+    const markers = [
+      ['CLAUDE.md', 'CLAUDE.md'],
+      ['.claude/agents', path.join('.claude', 'agents')],
+      ['.claude', '.claude'],
+      ['AGENTS.md', 'AGENTS.md'],
+    ];
+    const signals = [];
+    for (const [label, rel] of markers) {
+      try { if (existsSync(path.join(dir, rel))) signals.push(label); } catch { /* skip */ }
+    }
+    // .claude is implied by .claude/agents — don't list both.
+    const deduped = signals.includes('.claude/agents') ? signals.filter((s) => s !== '.claude') : signals;
+    return { hasConfig: deduped.length > 0, signals: deduped };
+  }
+
   app.get('/api/session', (c) => {
     const session = c.get('session');
     const role = c.get('role');
@@ -1098,6 +1193,9 @@ export async function createServer(overrides = {}) {
         : null,
       identity,
       onboarded: Boolean(identity?.onboardedAt),
+      // item 15: an existing CLAUDE.md/.claude in this folder → onboarding offers
+      // "adopt" (keep it) instead of asking the user to create a parallel agent.
+      existingSetup: detectExistingSetup(ws.dir),
       shareBaseUrl: config.shareBaseUrl,
       // `account` is set after the user runs `wild-workspace login`. The UI
       // uses it to show "you are <slug>" and to seed step 4 of onboarding
@@ -1758,6 +1856,72 @@ export async function createServer(overrides = {}) {
     return c.json({ ok, ...(_loginSession ? _loginSession.snapshot() : emptyLoginSnap) });
   });
 
+  // --- Providers (items 13/14) — machine-level credentials (Settings → Providers) --
+  // The per-session picker only CHOOSES a provider; connecting GLM / signing out of
+  // Claude are machine-level acts that live here. Owner-gated.
+  const glmKeyFile = () => process.env.GLM_KEY_FILE || path.join(config.home, '.glm-key');
+
+  app.get('/api/providers', (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    return c.json({
+      glm: { connected: glmConnected() },
+      // Claude is the built-in default; `account` echoes who's signed in (if known).
+      claude: { connected: true, account: c.get('session')?.account?.email || null },
+    });
+  });
+
+  // Connect GLM — store the key at ~/.glm-key (single-line, never logged/committed,
+  // mode 600). The key is read straight off the body; it is NOT a financial/password
+  // field (it's a 3rd-party API token the user pastes deliberately).
+  app.post('/api/providers/glm', async (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    const key = typeof body.key === 'string' ? body.key.replace(/\s+/g, '') : '';
+    if (!key || key.length < 8) return c.json({ error: 'invalid_key' }, 400);
+    try {
+      writeFileSync(glmKeyFile(), `${key}\n`, { mode: 0o600 });
+    } catch (e) {
+      return c.json({ error: 'write_failed', detail: String(e?.message || e) }, 500);
+    }
+    auditAction(c, 'providers.glm.connect', 'key stored');
+    return c.json({ ok: true, connected: glmConnected() });
+  });
+
+  // Disconnect GLM — remove the key file.
+  app.delete('/api/providers/glm', (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    try { unlinkSync(glmKeyFile()); } catch { /* already gone */ }
+    auditAction(c, 'providers.glm.disconnect', 'key removed');
+    return c.json({ ok: true, connected: glmConnected() });
+  });
+
+  // Sign out of Claude — `claude auth logout` (no browser needed; clears the OS
+  // credential). The user re-signs-in via the existing in-app PTY login. NOTE: this
+  // logs out the machine's Claude account that the agent runs under.
+  app.post('/api/auth/claude/logout', async (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const bin = activeAgent?.resolvedPath || 'claude';
+    const result = await new Promise((resolve) => {
+      try {
+        const p = spawn(bin, ['auth', 'logout'], { stdio: ['ignore', 'pipe', 'pipe'], windowsHide: true });
+        let out = '';
+        p.stdout.on('data', (d) => { out += d; });
+        p.stderr.on('data', (d) => { out += d; });
+        p.on('error', (e) => resolve({ ok: false, error: String(e?.message || e) }));
+        p.on('close', (code) => resolve({ ok: code === 0, code, out: out.slice(0, 400) }));
+      } catch (e) {
+        resolve({ ok: false, error: String(e?.message || e) });
+      }
+    });
+    _readinessCache = null; // auth state changed
+    auditAction(c, 'auth.claude.logout', `ok=${result.ok}`);
+    return c.json(result);
+  });
+
   app.post('/api/agent/identity', async (c) => {
     const forbidden = require(c, 'chatWrite');
     if (forbidden) return forbidden;
@@ -1790,6 +1954,30 @@ export async function createServer(overrides = {}) {
     }
   });
 
+  // Adopt an existing setup (item 15) — the user opened a folder that already has a
+  // CLAUDE.md/.claude, so we SKIP "create an agent" and just adopt the existing
+  // config: derive a display name from the folder, write ONLY the .wild-workspace
+  // scratch identity, and mark onboarded. We NEVER touch the user's CLAUDE.md/.claude.
+  app.post('/api/agent/adopt', (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const ws = workspaceFor(c);
+    const setup = detectExistingSetup(ws.dir);
+    if (!setup.hasConfig) return c.json({ error: 'no_existing_setup' }, 400);
+    // A friendly display name from the folder (the project's own name), e.g. "tickup"
+    // → "Tickup". The agent's behavior still comes from the existing CLAUDE.md/.claude.
+    const base = path.basename(ws.dir) || 'Agent';
+    const name = base.replace(/[-_]+/g, ' ').replace(/\b\w/g, (m) => m.toUpperCase()).slice(0, 40) || 'Agent';
+    try {
+      const saved = saveIdentity(ws.dataDir, { name, onboardedAt: Date.now() });
+      log('[onboarding]', `adopted existing setup (${setup.signals.join(', ')}) name=${saved.name}`);
+      activityBus.publish({ type: 'onboarded', at: saved.onboardedAt });
+      return c.json({ identity: saved, adopted: setup.signals });
+    } catch (e) {
+      return c.json({ error: String(e.message || e) }, 400);
+    }
+  });
+
   // Consent toggle for the proactive observability feed (default-on — see
   // observability.mjs). Owner-only; applied live to the reporter, no restart.
   app.post('/api/observability/consent', async (c) => {
@@ -2597,6 +2785,62 @@ export async function createServer(overrides = {}) {
     return c.json({ id, output });
   });
 
+  // --- Feature/bug tickets (item 7) — the Requests block + the agent's file_ticket --
+  // The agent files via the support MCP (mcp__tickets__file_ticket) into the same
+  // store; the user files/updates here. Owner-gated. Tickets sync to the team's tracker
+  // best-effort, once each (a runaway list-poll never re-POSTs the same ticket).
+  const syncedTicketIds = new Set();
+  app.get('/api/workspace/tickets', (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const list = tickets.list();
+    for (const t of list) {
+      if (!syncedTicketIds.has(t.id)) { syncedTicketIds.add(t.id); syncTicket(t); }
+    }
+    return c.json({ tickets: list });
+  });
+  app.post('/api/workspace/tickets', async (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    if (!body.title || typeof body.title !== 'string') return c.json({ error: 'title_required' }, 400);
+    const rec = tickets.file({
+      title: body.title, desc: body.desc, category: body.category, severity: body.severity,
+      workspaceId: workspaceFor(c).id, source: 'user',
+    });
+    syncedTicketIds.add(rec.id); syncTicket(rec);
+    auditAction(c, 'tickets.file', `id=${rec.id} cat=${rec.category}`);
+    return c.json({ ticket: rec });
+  });
+  app.patch('/api/workspace/tickets/:id', async (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    const rec = tickets.update(c.req.param('id'), { status: body.status, note: body.note });
+    if (!rec) return c.json({ error: 'not_found' }, 404);
+    syncTicket(rec);
+    auditAction(c, 'tickets.update', `id=${rec.id} status=${rec.status}`);
+    return c.json({ ticket: rec });
+  });
+
+  // Stop a running background task — resolve who holds its output file open and kill
+  // that tree (Restart Manager on Windows, lsof on Unix). Owner-only. We pass every
+  // LIVE claude pid to exclude so a Stop during an in-flight turn can't kill the
+  // active agent (and `stop` always also excludes our own server pid — the guard that
+  // matters, since RM/lsof report the file's readers too).
+  app.post('/api/workspace/tasks/:id/stop', async (c) => {
+    const forbidden = require(c, 'fileTree');
+    if (forbidden) return forbidden;
+    const id = c.req.param('id');
+    const claudePids = [...currentTurns.values()]
+      .map((t) => t?.session?.proc?.pid)
+      .filter((p) => Number.isInteger(p));
+    auditAction(c, 'task-stop', `id=${id}`);
+    const res = await bgTasks.stop(workspaceFor(c).id, id, { excludePids: claudePids });
+    if (!res.ok) return c.json(res, res.error === 'not-found' ? 404 : 400);
+    return c.json(res);
+  });
+
   // --- component inbox ---
   app.get('/api/inbox', async (c) => {
     // Enforce the `inbox` capability (partner-only). It existed in the matrix
@@ -2876,6 +3120,9 @@ export async function createServer(overrides = {}) {
           const lid = fromRailsId(slug, rs.id);
           const existing = byId.get(lid);
           byId.set(lid, {
+            // Preserve local-only fields (provider/context/titleSource) — they're
+            // per-host metadata the rails don't carry.
+            ...(existing || {}),
             id: lid,
             title: rs.title || existing?.title || (lid === MAIN_SESSION_ID ? 'Main' : null),
             account: rs.owner_email || existing?.account || 'local',
@@ -2895,18 +3142,33 @@ export async function createServer(overrides = {}) {
     const forbidden = require(c, 'chatWrite');
     if (forbidden) return forbidden;
     const body = await c.req.json().catch(() => ({}));
+    // Per-session provider (items 13/14) — locked at creation. A GLM chat requires GLM
+    // to be connected on this machine; reject otherwise so we never make a dead chat.
+    const provider = body.provider === 'glm' ? 'glm' : 'claude';
+    if (provider === 'glm' && !glmConnected()) {
+      return c.json({ error: 'glm_not_connected' }, 400);
+    }
     const rec = sessionsFor(c).create({
       title: typeof body.title === 'string' ? body.title : null,
       account: accountLabel(),
+      provider,
     });
     const slug = sharedSlugFor(c);
     if (slug && sessionRails.capable) {
       sessionRails.createSession(slug, railsId(slug, rec.id), rec.title).catch(() => {});
     }
-    auditAction(c, 'sessions.create', `id=${rec.id}`);
+    auditAction(c, 'sessions.create', `id=${rec.id} provider=${provider}`);
     return c.json({ session: rec });
   });
 
+  // The living-summary handoff (item 9) — the carry-the-gist payload for a fresh chat.
+  app.get('/api/sessions/:id/summary', (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    const summary = sessionsFor(c).getSummary(c.req.param('id'));
+    return c.json({ summary: summary || null });
+  });
+
   app.get('/api/sessions/:id/messages', async (c) => {
     const forbidden = require(c, 'chat');
     if (forbidden) return forbidden;
@@ -3531,9 +3793,11 @@ export async function createServer(overrides = {}) {
         ws._sendTimes.push(now);
         // The turn-runner resumes THIS socket's workspace + thread conversation and
         // streams back only to the matching chat block (lobby M1 + C3).
+        // No client `mode` (item 10, 2026-06-21): the Build/Plan toggle was removed.
+        // runChatTurn resolves the permission mode from the stored autonomy dial
+        // (resolveAutonomyMode) — Full/unset → build, Check with me → read-only plan.
         runChatTurn({
           prompt: msg.text,
-          mode: msg.mode,
           messageId: msg.messageId,
           userText: msg.text,
           workspace: ws._wsWorkspace,

package/server/src/lobby-browse.mjs

@@ -22,6 +22,31 @@ function isDirSafe(p) {
   }
 }
 
+// Markers that mean "this folder already has your work" (item 6) — we want the lobby
+// to steer the user toward opening one of these over starting blank. A few cheap
+// existsSync checks per entry; we surface a short label list + a hasWork flag.
+const WORK_MARKERS = [
+  ['CLAUDE.md', 'CLAUDE.md'],
+  ['.claude', '.claude'],
+  ['.git', '.git'],
+  ['package.json', 'package.json'],
+  ['README.md', 'README.md'],
+  ['pyproject.toml', 'pyproject.toml'],
+  ['Cargo.toml', 'Cargo.toml'],
+  ['go.mod', 'go.mod'],
+  ['index.html', 'index.html'],
+];
+
+// Up to 3 signal labels for a folder (CLAUDE.md/.git/package.json/…), and hasWork.
+export function workSignals(dir) {
+  const signals = [];
+  for (const [label, rel] of WORK_MARKERS) {
+    try { if (fs.existsSync(path.join(dir, rel))) signals.push(label); } catch { /* skip */ }
+    if (signals.length >= 3) break;
+  }
+  return { hasWork: signals.length > 0, signals };
+}
+
 // The filesystem roots ("This PC"): on Windows each drive (C:\, D:\, …) is a
 // SEPARATE root with no common parent — without this, the picker is trapped on
 // the home drive (you could never browse to D:). We probe C–Z (A/B are legacy
@@ -104,8 +129,13 @@ export function browseDir(target) {
       if (d.isSymbolicLink()) return isDirSafe(path.join(abs, d.name));
       return false;
     })
-    .map((d) => ({ name: d.name, dir: path.join(abs, d.name) }))
-    .sort((a, b) => a.name.localeCompare(b.name, undefined, { sensitivity: 'base' }));
+    .map((d) => {
+      const dir = path.join(abs, d.name);
+      return { name: d.name, dir, ...workSignals(dir) };
+    })
+    // Folders that already have your work float to the top (item 6) — then alpha.
+    .sort((a, b) => (Number(b.hasWork) - Number(a.hasWork))
+      || a.name.localeCompare(b.name, undefined, { sensitivity: 'base' }));
   const parent = path.dirname(abs);
   return { path: abs, parent: parent !== abs ? parent : null, entries };
 }

package/server/src/process-holders.mjs

@@ -0,0 +1,122 @@
+// Cross-platform "who is running this background task, and stop it" — without ever
+// capturing a PID at launch (which fighting claude's opaque background mechanism
+// proved unreliable). Instead we use the one thing we already know: the task's
+// OUTPUT FILE path. The running process holds that file open, so:
+//
+//   resolveHolders(file) -> the PIDs holding it open
+//   killTree(pids)       -> stop them (whole tree)
+//
+//   Windows: Restart Manager (rstrtmgr.dll) — the API installers use to find which
+//            process locks a file — driven by a tiny embedded PowerShell helper.
+//   macOS/Linux: `lsof -t` (terse, PIDs only).
+//
+// SAFETY (proven necessary in the spike): RM/lsof also report READERS — our own
+// server tails the file, so a naive kill could `taskkill` the wild-workspace server
+// itself. Callers MUST pass the pids to exclude (our pid + any live claude pids);
+// this module never kills blindly.
+
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+
+const execFileP = promisify(execFile);
+
+// PowerShell Restart Manager locker-finder. Embedded (not a shipped .ps1) so it
+// works regardless of how the package is published; written to a temp file on first
+// use and invoked with -File. Prints the holding PIDs, one per line.
+const RM_PS = [
+  'param([string]$Path)',
+  "$ErrorActionPreference='SilentlyContinue'",
+  "$sig = @'",
+  'using System; using System.Runtime.InteropServices; using System.Collections.Generic;',
+  'public static class RmFile {',
+  ' [StructLayout(LayoutKind.Sequential)] struct RM_UNIQUE_PROCESS { public int dwProcessId; public System.Runtime.InteropServices.ComTypes.FILETIME ProcessStartTime; }',
+  ' [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)] struct RM_PROCESS_INFO {',
+  '  public RM_UNIQUE_PROCESS Process;',
+  '  [MarshalAs(UnmanagedType.ByValTStr, SizeConst=256)] public string strAppName;',
+  '  [MarshalAs(UnmanagedType.ByValTStr, SizeConst=64)] public string strServiceShortName;',
+  '  public int ApplicationType; public uint AppStatus; public uint TSSessionId; [MarshalAs(UnmanagedType.Bool)] public bool bRestartable; }',
+  ' [DllImport("rstrtmgr.dll", CharSet=CharSet.Unicode)] static extern int RmStartSession(out uint h, int flags, string key);',
+  ' [DllImport("rstrtmgr.dll")] static extern int RmEndSession(uint h);',
+  ' [DllImport("rstrtmgr.dll", CharSet=CharSet.Unicode)] static extern int RmRegisterResources(uint h, uint nf, string[] files, uint na, RM_UNIQUE_PROCESS[] apps, uint ns, string[] svc);',
+  ' [DllImport("rstrtmgr.dll")] static extern int RmGetList(uint h, out uint need, ref uint count, [In,Out] RM_PROCESS_INFO[] info, ref uint reasons);',
+  ' public static List<int> Lockers(string p){ var r=new List<int>(); uint h; if(RmStartSession(out h,0,Guid.NewGuid().ToString())!=0)return r;',
+  '  try{ if(RmRegisterResources(h,1,new[]{p},0,null,0,null)!=0)return r; uint need=0,count=0,reasons=0; int res=RmGetList(h,out need,ref count,null,ref reasons);',
+  '   if(res==234){ var info=new RM_PROCESS_INFO[need]; count=need; if(RmGetList(h,out need,ref count,info,ref reasons)==0){ for(int i=0;i<count;i++) r.Add(info[i].Process.dwProcessId);} } }',
+  '  finally{ RmEndSession(h); } return r; } }',
+  "'@",
+  'Add-Type -TypeDefinition $sig',
+  '[RmFile]::Lockers($Path) | ForEach-Object { $_ }',
+].join('\r\n');
+
+let _rmScriptPath = null;
+function ensureRmScript() {
+  if (_rmScriptPath && fs.existsSync(_rmScriptPath)) return _rmScriptPath;
+  const p = path.join(os.tmpdir(), 'wild-workspace-rm-holders.ps1');
+  try { fs.writeFileSync(p, RM_PS, 'utf8'); _rmScriptPath = p; } catch { _rmScriptPath = null; }
+  return _rmScriptPath;
+}
+
+function parsePids(stdout) {
+  return String(stdout || '')
+    .split(/\r?\n/)
+    .map((l) => parseInt(l.trim(), 10))
+    .filter((n) => Number.isInteger(n) && n > 0);
+}
+
+/**
+ * PIDs currently holding `filePath` open (the running task's process tree + any
+ * readers). Returns [] on any failure or when nothing holds it (task finished).
+ */
+export async function resolveHolders(filePath, { exec = execFileP, platform = process.platform } = {}) {
+  if (!filePath) return [];
+  try {
+    if (platform === 'win32') {
+      const script = ensureRmScript();
+      if (!script) return [];
+      const { stdout } = await exec(
+        'powershell',
+        ['-NoProfile', '-ExecutionPolicy', 'Bypass', '-File', script, '-Path', filePath],
+        { timeout: 9000, windowsHide: true },
+      );
+      return uniq(parsePids(stdout));
+    }
+    const { stdout } = await exec('lsof', ['-t', '--', filePath], { timeout: 9000 });
+    return uniq(parsePids(stdout));
+  } catch (e) {
+    // lsof exits 1 with no output when nothing holds the file — that's "empty", not
+    // an error. Salvage any stdout the failed call captured, else treat as empty.
+    if (e && e.stdout) return uniq(parsePids(e.stdout));
+    return [];
+  }
+}
+
+/** Force-kill each pid AND its child tree. Returns per-pid {pid, ok}. */
+export async function killTree(pids, { exec = execFileP, platform = process.platform, kill = (p, s) => process.kill(p, s) } = {}) {
+  const out = [];
+  for (const pid of uniq(pids)) {
+    try {
+      if (platform === 'win32') {
+        await exec('taskkill', ['/PID', String(pid), '/T', '/F'], { timeout: 9000, windowsHide: true });
+      } else {
+        // SIGKILL the holder; lsof returned the whole fd-sharing chain, so killing
+        // each holder takes down the tree. A transient child (e.g. `sleep`) exits on
+        // its own once its parent is gone.
+        try { kill(pid, 'SIGKILL'); } catch { /* already gone */ }
+      }
+      out.push({ pid, ok: true });
+    } catch (e) {
+      // taskkill exits non-zero with "process not found" when /T already reaped it as
+      // part of an earlier pid's tree — that's success, not failure.
+      const msg = String((e && (e.stderr || e.message)) || '');
+      out.push({ pid, ok: /not found|not be terminated/i.test(msg) });
+    }
+  }
+  return out;
+}
+
+function uniq(arr) {
+  return [...new Set(arr)];
+}

package/server/src/support/index.mjs

@@ -0,0 +1,30 @@
+// Support runtime glue for the main server: the agent-facing system prompt and the
+// path to the support (tickets + check_preview) MCP server, wired into the turn's
+// --mcp-config by turn-mcp.mjs.
+
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+export const SUPPORT_MCP_SERVER_PATH = path.join(__dirname, 'mcp-server.mjs');
+
+// Appended to the agent's system prompt on user chat turns. Frames wild-workspace as
+// a tool the agent can drive "till a point": file/manage feature requests + bugs about
+// the workspace itself, and check the live preview — but NOT touch auth, keys, deletion,
+// or the user's files (those stay human-only). Plain language.
+export const SUPPORT_SYSTEM_PROMPT = [
+  "You can treat wild-workspace itself like a tool you operate. If you (or the user) hit something the",
+  "workspace is MISSING or doing wrong — a feature you wish it had, a bug — file a ticket with",
+  "mcp__tickets__file_ticket (title + a short desc + category/severity). It lands on the user's Requests",
+  "block and is traced by the VentureWild team, so the product gets better. Use list_tickets / update_ticket",
+  "to manage one over time (e.g. mark it done). File tickets for feedback about wild-workspace itself —",
+  "NOT for the user's own project work (that's just normal building).",
+  "",
+  "After you start a dev server for the user (npm run dev, etc.), call mcp__tickets__check_preview to",
+  "confirm it's actually serving and get its URL before pointing them at the Live view.",
+  "",
+  "Boundary: these are the only workspace-control actions you take on your own. You never change sign-in /",
+  "API keys, delete a workspace, alter support-access consent, or destroy the user's files — if something",
+  "needs one of those, ask the user to do it.",
+].join('\n');