@venturewild/workspace 0.6.26 → 0.6.28

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@venturewild/workspace",
-  "version": "0.6.26",
+  "version": "0.6.28",
   "description": "Claude Code Web — Replit/Lovable-style chat-first browser UI that wraps the AI agent already installed on your machine.",
   "license": "MIT",
   "bin": {

package/server/src/agent.mjs

@@ -46,13 +46,32 @@ export function ensureToolPath(env = process.env, { platform = process.platform,
   return env.PATH;
 }
 
+// On Windows, `where.exe <binary>` lists the extensionless POSIX npm shim
+// (e.g. `…\AppData\Roaming\npm\claude`) BEFORE claude.cmd. spawn() with
+// shell:false can't run that shim — it's a sh script — so a npm-installed
+// Claude resolved to ENOENT (caught live 2026-06-26). Prefer a real Windows
+// launcher (.cmd > .exe > .bat); fall back to the first hit if none. Exported
+// for unit testing.
+export function pickWindowsBinary(lines) {
+  const list = Array.isArray(lines) ? lines : [];
+  for (const ext of ['.exe', '.cmd', '.bat']) {
+    const re = new RegExp(ext.replace('.', '\\.') + '$', 'i');
+    const hit = list.find((l) => re.test(l.trim()));
+    if (hit) return hit.trim();
+  }
+  return list[0]?.trim() || null;
+}
+
 async function isOnPath(binary) {
   ensureToolPath(); // make sure the tool dirs are on PATH before we look
   const probe = process.platform === 'win32' ? 'where.exe' : 'which';
   try {
     const { stdout } = await execFile(probe, [binary], { timeout: PATH_LOOKUP_TIMEOUT_MS });
     const lines = stdout.split(/\r?\n/).filter(Boolean);
-    if (lines.length > 0) return lines[0].trim();
+    if (lines.length > 0) {
+      // Skip the extensionless npm shim on Windows (see pickWindowsBinary).
+      return process.platform === 'win32' ? pickWindowsBinary(lines) : lines[0].trim();
+    }
   } catch { /* fall through to a direct probe */ }
   // which/where can still miss a freshly-installed binary in a stripped launchd
   // environment — probe the known install dirs directly and return an ABSOLUTE
@@ -180,12 +199,19 @@ export class AgentSession extends EventEmitter {
         ? buildClaudeArgs(this.agent.args, ctx)
         : [...this.agent.args];
     // Prefer the resolved absolute path from detection; fall back to the bare
-    // name. claude ships a native binary, so shell:false spawns cleanly.
+    // name. On Windows a npm-installed Claude resolves to claude.cmd — which
+    // Node refuses to spawn with shell:false (CVE-2024-27980) — so a .cmd/.bat
+    // shim (or the extensionless npm shim, which cmd rescues via PATHEXT) must
+    // go through cmd.exe. A real .exe (node, native claude.exe) spawns
+    // directly with shell:false, so tests + native installs are untouched.
+    // POSIX keeps shell:false (the native binary there spawns directly).
     const command = this.agent.resolvedPath || this.agent.binary;
+    const isWin = process.platform === 'win32';
+    const needsShell = isWin && !/\.exe$/i.test(command);
     this.proc = spawn(command, args, {
       cwd: ctx.cwd || this.opts.cwd || process.cwd(),
       env: { ...process.env, ...(ctx.env || {}) },
-      shell: false,
+      shell: needsShell,
       stdio: ['pipe', 'pipe', 'pipe'],
       windowsHide: true,
     });

package/server/src/daemon-supervisor.mjs

@@ -26,12 +26,38 @@ import {
   writeFileSync,
   unlinkSync,
 } from 'node:fs';
+import net from 'node:net';
 import path from 'node:path';
 import os from 'node:os';
 import { resolveDaemonBinary } from './daemon-bin.mjs';
 
 const DEFAULT_HTTP_BASE = 'http://127.0.0.1:8320';
 
+/**
+ * Is something LISTENING on host:port? A successful TCP connect means the socket
+ * is still held (a new daemon would hit EADDRINUSE); ECONNREFUSED means nothing
+ * is listening — the port is FREE to bind. Loopback connects resolve instantly,
+ * so this is fast. Conservative on ambiguous outcomes (timeout / odd error):
+ * report "in use" rather than risk spawning into a half-released socket.
+ * @returns {Promise<boolean>} true = in use, false = free to bind.
+ */
+function defaultProbePort(host, port, timeoutMs = 1000) {
+  return new Promise((resolve) => {
+    const sock = net.connect({ host, port });
+    let done = false;
+    const finish = (inUse) => {
+      if (done) return;
+      done = true;
+      try { sock.destroy(); } catch { /* already closed */ }
+      resolve(inUse);
+    };
+    sock.setTimeout(timeoutMs);
+    sock.once('connect', () => finish(true)); //  someone is listening
+    sock.once('timeout', () => finish(true)); //  filtered/hung — assume held
+    sock.once('error', (e) => finish(e?.code !== 'ECONNREFUSED')); // refused = free
+  });
+}
+
 export class DaemonSupervisor {
   /**
    * @param {object} [opts]
@@ -53,6 +79,7 @@ export class DaemonSupervisor {
     spawnImpl = spawn,
     fetchImpl = globalThis.fetch,
     killImpl = (pid, sig) => process.kill(pid, sig),
+    probePortImpl = defaultProbePort, // (host, port, timeoutMs) -> Promise<bool>; test seam
     env = process.env,
     // b-ii: when the install is logged in (account.json present), these are
     // injected into the daemon's spawn env so it opens the proxy link
@@ -72,6 +99,7 @@ export class DaemonSupervisor {
     this.spawnImpl = spawnImpl;
     this.fetchImpl = fetchImpl;
     this.killImpl = killImpl;
+    this.probePortImpl = probePortImpl;
     this.env = env;
     this.accountToken = accountToken;
     this.serverUrl = serverUrl;
@@ -246,18 +274,52 @@ export class DaemonSupervisor {
     return { stopped: true, pid };
   }
 
+  /** The daemon's API host+port, parsed from httpBase (for raw socket checks). */
+  get apiHostPort() {
+    try {
+      const u = new URL(this.httpBase);
+      return { host: u.hostname || '127.0.0.1', port: Number(u.port) || 8320 };
+    } catch {
+      return { host: '127.0.0.1', port: 8320 };
+    }
+  }
+
+  /** Is the daemon's API port still held by a listener? (true = can't bind yet) */
+  portInUse(timeoutMs = 1000) {
+    const { host, port } = this.apiHostPort;
+    return this.probePortImpl(host, port, timeoutMs);
+  }
+
+  /**
+   * Block until the daemon's API port is FREE to bind, or the deadline passes.
+   * Returns true if it became free, false on timeout (caller proceeds anyway —
+   * best-effort, like the old health-poll).
+   */
+  async waitForPortFree(timeoutMs = 8000, pollMs = 150) {
+    const deadline = Date.now() + timeoutMs;
+    for (;;) {
+      if (!(await this.portInUse())) return true;
+      if (Date.now() >= deadline) return false;
+      await new Promise((r) => setTimeout(r, pollMs));
+    }
+  }
+
   /**
    * Recycle the daemon so it loads a freshly-resolved binary (after an
-   * auto-update). Stop the running process, wait for it to release its API port,
-   * then spawn again. Returns the `spawnDaemon` result.
+   * auto-update). Stop the running process, wait for it to release its API
+   * SOCKET, then spawn again. Returns the `spawnDaemon` result.
+   *
+   * Why wait on the socket, not health(): health() going false only means the
+   * daemon stopped answering HTTP — the OS can hold the :8320 listening socket a
+   * beat longer (graceful-shutdown drain / close). The daemon does NOT retry its
+   * bind: it logs "Address already in use" once and gives up, so the b-ii proxy
+   * link never forms and the public URL stays 502 until a reboot
+   * (docs/onboarding-hardening-2026-06-23.md). Spawning only once the socket is
+   * actually free closes that race.
    */
   async recycle() {
     await this.stop();
-    // Wait for the old process to exit + free :PORT, else the new one can't bind.
-    const deadline = Date.now() + 5000;
-    while (Date.now() < deadline && (await this.health()).running) {
-      await new Promise((r) => setTimeout(r, 200));
-    }
+    await this.waitForPortFree();
     return this.spawnDaemon();
   }