alvin-bot 4.18.0 → 4.18.2

package/AEC-PLUGINS-SOURCES.md

@@ -0,0 +1,53 @@
+# AEC Plugin Skills — Installed 22.04.2026
+
+54 Skills aus 3 Claude-Code-Plugins, erstellt von **Abhinav Bhardwaj** (GitHub: `Amanbh997`).
+Installiert via direkte Kopie in `~/.claude/skills/` — Claude Code auto-discovered via SKILL.md frontmatter.
+
+Vorher: 89 Skills. Nachher: **143 Skills** (+54).
+
+## Quellen
+
+| Plugin | Repo | Skills | Stars |
+|---|---|---|---|
+| **Urban Design** | [Amanbh997/Urban-Design-Skills-Claude](https://github.com/Amanbh997/Urban-Design-Skills-Claude) | 18 | ⭐ 76 |
+| **Architecture** | [Amanbh997/Skills-Architects](https://github.com/Amanbh997/Skills-Architects) | 18 | ⭐ 118 |
+| **Computational Design** | [Amanbh997/Claude-skills-for-Computational-Designers](https://github.com/Amanbh997/Claude-skills-for-Computational-Designers) | 18 | ⭐ 127 |
+
+Jedes Plugin: 35.000+ Zeilen, 7 Python-Calculators, 50+ Theorists, 30+ Tools, hunderte numerische Benchmarks.
+
+## Skill-Inventar
+
+### Urban Design (18)
+block-and-density · climate-responsive-design · cost-estimation · design-brief · design-evaluation · masterplan-design · mixed-use-programming · mobility-and-transport · precedent-study · public-space-design · site-analysis · street-design · sustainability-scoring · tod-design · urban-calculator · urban-design-foundations · urban-regeneration · zoning-and-codes
+
+### Architecture (18)
+accessibility-design · acoustic-design · architect-calculator · architect-foundations · building-codes · building-envelope · building-programming · building-services · building-sustainability · building-typology · concept-design · construction-documentation · daylighting-design · design-theory · fire-life-safety · material-selection · spatial-planning · structural-systems
+
+### Computational Design (18)
+algorithmic-patterns · bim-scripting · cd-calculator · cd-foundations · computational-geometry · data-driven-design · design-automation · digital-fabrication · environmental-simulation · facade-computation · generative-design · interoperability · mesh-processing · ml-for-aec · optimization-methods · parametric-modeling · scripting-reference · structural-computation
+
+## Update ziehen
+
+```bash
+cd /tmp && rm -rf aec-skills && mkdir aec-skills && cd aec-skills
+git clone --depth 1 https://github.com/Amanbh997/Urban-Design-Skills-Claude.git
+git clone --depth 1 https://github.com/Amanbh997/Skills-Architects.git
+git clone --depth 1 https://github.com/Amanbh997/Claude-skills-for-Computational-Designers.git
+cp -R Urban-Design-Skills-Claude/skills/* ~/.claude/skills/
+cp -R Skills-Architects/skills/* ~/.claude/skills/
+cp -R Claude-skills-for-Computational-Designers/skills/* ~/.claude/skills/
+```
+
+## Wie die Skills ausgelöst werden
+
+Jeder Skill hat im SKILL.md frontmatter eine `description`-Zeile die spezifische User-Anfragen matcht. Beispiele:
+
+- „Design a mixed-use quarter" → Urban Design Plugin (masterplan-design, tod-design, mixed-use-programming, zoning-and-codes, mobility-and-transport …)
+- „Check if this floor plan meets fire code" → Architecture Plugin (fire-life-safety, building-codes, accessibility-design, construction-documentation …)
+- „Generate a parametric facade pattern in Grasshopper" → Computational Design Plugin (parametric-modeling, facade-computation, algorithmic-patterns, digital-fabrication …)
+
+Laut Creator: *"Ask Claude to design a mixed-use quarter and all three plugins kick in working together."*
+
+## Quelle
+Reel vom Creator: https://www.instagram.com/reel/DXXhJS2kqAf/
+Uploader: Abhinav Bhardwaj / "Claude for AEC!"

package/CHANGELOG.md

@@ -2,6 +2,41 @@
 
 All notable changes to Alvin Bot are documented here.
 
+## [4.18.2] — 2026-04-23
+
+### 🐛 Fix: silent empty-stream after OAuth-token rotation
+
+**Problem:** After running `/extra-usage`, `/login`, or any other flow that rotates the Claude OAuth token in the macOS Keychain, the Alvin-Bot silently broke for long-lived sessions. The in-memory Claude SDK client held the old token, the CLI subprocess emitted no text chunks (the 401 was swallowed upstream), the stream terminated normally with zero output tokens, and the user saw the fallback `"(Keine Antwort)"` — with no indication that a token refresh was needed.
+
+**Fix** (`src/providers/claude-sdk-provider.ts`): In the `result` branch of the SDK stream loop, detect the empty-stream signature (`accumulatedText === ""` and `outputTokens === 0`). When that fires:
+
+1. Invalidate the `isAvailable()` cache so the next heartbeat probe spawns a fresh CLI subprocess that reads the current Keychain entry.
+2. Yield an explicit `error` chunk with actionable text so the user sees *"…token rotation — please resend your message"* instead of a silent `"(Keine Antwort)"`.
+
+**Applies to:** every token-rotation flow — extra-usage activation, extra-usage expiry, weekly-reset (no rotation → unaffected), manual `claude login`.
+
+**Net effect:** Bot self-heals after token changes. A single resend on the user side is enough; no manual restart required.
+
+## [4.18.1] — 2026-04-20
+
+### 🔒 Privacy-Guard: pre-publish check blocks PII leaks in shipped files
+
+Adds an automated gate that runs on every `npm publish` and prevents personal information from accidentally shipping. After the 4.18.0 privacy sanitization, this ensures it never happens again.
+
+**New:**
+- `scripts/privacy-check.sh` — scans the exact file list that `npm pack` would ship. Case-insensitive regex match against a patterns file. Any hit fails the publish.
+- `scripts/privacy-patterns.default.txt` — bundled, contains only generic patterns (email shape, IP addresses, postal codes, personal task phrasings). No project or person names — so safe to ship.
+- `package.json` `prepublishOnly` hook — runs the check automatically.
+- `npm run privacy-check` — manual run anytime.
+
+**Maintainer-local overrides:** Put `~/.alvin-bot/privacy-patterns.txt` with personal/project-specific patterns. That file is gitignored, never leaves your machine, and takes precedence over the bundled defaults.
+
+**CI override:** Set `$ALVIN_PRIVACY_PATTERNS` to an absolute path; takes top precedence over both files above.
+
+**Hardening: `.npmignore`** — added `test/` and `vitest.config.ts` to the ignore list. Previously the full test suite shipped with every npm tarball, adding ~2 MB and exposing test fixtures that sometimes referenced internal project names.
+
+**CLAUDE.md** — documents the rule and the patterns-file lookup order so future maintenance sessions catch new cases proactively.
+
 ## [4.18.0] — 2026-04-20
 
 ### ⚡ Performance + Hardening: medium-priority cleanups from the stability audit
@@ -169,8 +204,8 @@ The three aliased entries all route through `ClaudeSDKProvider` with different `
 
 ```yaml
 ---
-purpose: Interview prep
-cwd: ~/Documents/Interviews
+purpose: my-project
+cwd: ~/Projects/my-project
 model: sonnet           # opus | sonnet | haiku | claude-opus-4-7 | ...
 ---
 ```

package/DESIGN-SKILLS-SOURCES.md

@@ -0,0 +1,81 @@
+# Design Skills — Installed 22.04.2026
+
+19 neue Skills aus 2 Repos + Bestätigung dass Frontend Design bereits via Anthropic Plugin installiert ist.
+
+## Quellen
+
+| Skill | Repo | Stars | Status |
+|---|---|---|---|
+| **Impeccable** (18 commands) | [pbakaus/impeccable](https://github.com/pbakaus/impeccable) | ⭐ 21.419 | ✅ Neu installiert |
+| **Design Motion Principles** | [kylezantos/design-motion-principles](https://github.com/kylezantos/design-motion-principles) | ⭐ 293 | ✅ Neu installiert |
+| **Frontend Design** | [anthropics/skills/frontend-design](https://github.com/anthropics/skills) | — | ℹ️ War bereits aktiv (Plugin `frontend-design:frontend-design`) |
+
+## Reel-Quelle
+Marc Cleroux auf Instagram — https://www.instagram.com/reel/DXdVUiOjKUv/ (22.04.2026)
+
+## Impeccable-Commands (18)
+
+Vokabular um Claude bei frontend-design zu steuern wenn dir die richtigen Worte fehlen.
+
+| Command | Funktion |
+|---|---|
+| `/impeccable` | Core skill mit 18 commands + 7 Referenz-Domänen |
+| `/adapt` | Responsive / Breakpoints / Touch-Targets |
+| `/animate` | Purposeful motion + micro-interactions |
+| `/audit` | Technische Quality Checks (a11y, perf, responsive) + scored report |
+| `/bolder` | Bland → visuell interessanter |
+| `/clarify` | Unklare UX-Copy verbessern |
+| `/colorize` | Strategische Farbe einführen |
+| `/critique` | UX Design Review (Hierarchie, Klarheit, Resonanz) |
+| `/delight` | Joy-Momente, Personality, Memorable Touches |
+| `/distill` | Auf Essenz reduzieren, Complexity weg |
+| `/harden` | Error Handling, Empty States, Onboarding, i18n, Edge Cases |
+| `/layout` | Layout / Spacing / Visual Rhythm fixen |
+| `/optimize` | Performance (Bundle, Rendering, Images) |
+| `/overdrive` | Technisch ambitioniert — Shaders, Spring Physics, 60fps |
+| `/polish` | Final Quality Pass pre-shipping |
+| `/quieter` | Overstimulating Design beruhigen |
+| `/shape` | UX/UI-Plan vor Code |
+| `/typeset` | Typografie fixen |
+
+### 7 Referenz-Domänen in `impeccable`
+typography · color-and-contrast · spatial-design · motion-design · interaction-design · responsive-design · ux-writing
+
+## Design Motion Principles
+
+Motion-Audit-Skill basierend auf den Philosophien von:
+- **Emil Kowalski** — iOS-native UI polish
+- **Jakub Krehel** — smooth interaction design
+- **Jhey Tompkins** — creative web animation
+
+Use case: *"Audit the hover states and transitions on my landing page"* → strukturierter Motion-Report.
+
+## Installation
+
+Geklont + direkt in `~/.claude/skills/` einzeln kopiert (Impeccable folgt dem Pattern aus ihrer README: `cp -r dist/claude-code/.claude/* ~/.claude/`).
+
+## Update ziehen
+
+```bash
+cd /tmp && rm -rf design-skills && mkdir design-skills && cd design-skills
+git clone --depth 1 https://github.com/pbakaus/impeccable.git
+git clone --depth 1 https://github.com/kylezantos/design-motion-principles.git
+cp -R impeccable/.claude/skills/. ~/.claude/skills/
+cp -R design-motion-principles/skills/design-motion-principles ~/.claude/skills/
+```
+
+## Stand Skills-Inventar (22.04.2026)
+- Vorher: 143 (nach AEC-Installation)
+- Nachher: **162** (+19)
+
+## Nebenbaustelle
+Impeccable bringt zusätzlich eine `.claude/agents/anti-patterns.md` mit — nicht installiert (würde Permission für `~/.claude/agents/` brauchen). Das ist optional: Die 18 Skills funktionieren unabhängig vom Anti-Patterns-Agent. Falls später gewünscht: `cp -R /tmp/design-skills/impeccable/.claude/agents/. ~/.claude/agents/`
+
+## Empfohlene Workflow-Kombination
+
+Laut Marc Cleroux im Reel ist das Power-Trio:
+1. **shape** (plan before code) — Teil von Impeccable
+2. **frontend-design** (implement mit Geschmack) — schon installiert
+3. **audit** + **critique** + **polish** (iterieren) — Impeccable
+
+Bei jedem neuen Frontend-Build: `/shape` → `/impeccable craft` → `/audit` → `/critique` → `/polish` → shippen.

package/bin/cli.js

@@ -1828,7 +1828,7 @@ switch (cmd) {
     const searchQuery = process.argv.slice(3).join(" ");
     if (!searchQuery) {
       console.log("Usage: alvin-bot search <query>");
-      console.log('Example: alvin-bot search "cover letter"');
+      console.log('Example: alvin-bot search "tax document 2024"');
       process.exit(1);
     }
     const { searchSelf, formatSearchResults } = await import("../dist/services/self-search.js");

package/dist/providers/claude-sdk-provider.js

@@ -309,6 +309,30 @@ export class ClaudeSDKProvider {
                         ? (usage.input_tokens || 0) + (usage.cache_creation_input_tokens || 0) + (usage.cache_read_input_tokens || 0)
                         : 0;
                     const outputTok = usage?.output_tokens || 0;
+                    // v4.18.2 — Silent-empty-stream detection.
+                    //
+                    // If the stream terminated cleanly but produced ZERO text chunks,
+                    // something went wrong that the SDK didn't surface as an error:
+                    // most commonly a stale OAuth token after /extra-usage or /login
+                    // rotated the Keychain entry while our in-memory SDK client was
+                    // still holding the old one. The CLI subprocess silently gets a
+                    // 401, emits no text, and we complete the stream with
+                    // accumulatedText === "". The user sees "(Keine Antwort)".
+                    //
+                    // We flip this from silent failure to explicit error. Clearing
+                    // the availability cache forces the next heartbeat probe to
+                    // re-check `claude auth status` with a fresh subprocess (which
+                    // reads the current Keychain entry).
+                    if (accumulatedText === "" && outputTok === 0) {
+                        this.invalidateAvailabilityCache();
+                        yield {
+                            type: "error",
+                            error: "Claude returned an empty response. " +
+                                "This can happen right after /extra-usage, /login, or a token refresh — " +
+                                "the SDK held a stale auth token. I've invalidated the cache; please resend your message.",
+                        };
+                        return;
+                    }
                     yield {
                         type: "done",
                         text: accumulatedText,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "alvin-bot",
-  "version": "4.18.0",
+  "version": "4.18.2",
   "description": "Alvin Bot \u2014 Your personal AI agent on Telegram, WhatsApp, Discord, Signal, and Web.",
   "type": "module",
   "main": "dist/index.js",
@@ -15,6 +15,8 @@
     "test": "vitest run",
     "test:watch": "vitest",
     "test:ui": "vitest --ui",
+    "privacy-check": "bash scripts/privacy-check.sh",
+    "prepublishOnly": "bash scripts/privacy-check.sh",
     "electron:compile": "tsc -p electron/tsconfig.json",
     "electron:dev": "npm run electron:compile && electron .",
     "electron:build": "npm run build && npm run electron:compile && electron-builder --publish never",

package/test/allowed-users-gate.test.ts

@@ -1,98 +0,0 @@
-/**
- * v4.12.2 — ALLOWED_USERS startup hard-fail gate.
- *
- * When the Telegram bot token is configured but ALLOWED_USERS is empty,
- * starting the bot would leave it open to any Telegram user sending a DM.
- * Previously this only emitted a console.warn and the bot started anyway.
- *
- * v4.12.2 introduces a pure gate function that decides whether to refuse
- * startup, with two explicit escape hatches:
- *   1. AUTH_MODE=open — user explicitly wants an open bot
- *   2. ALVIN_INSECURE_ACKNOWLEDGED=1 — explicit opt-out for test/scripted envs
- *
- * This test file exercises the pure gate. The actual wiring in src/index.ts
- * is a thin if-block that calls process.exit(1) on deny.
- */
-import { describe, it, expect } from "vitest";
-import { checkAllowedUsersGate } from "../src/services/allowed-users-gate.js";
-
-describe("allowed-users-gate (v4.12.2)", () => {
-  it("allows startup when ALLOWED_USERS is populated", () => {
-    const result = checkAllowedUsersGate({
-      hasTelegram: true,
-      allowedUsersCount: 1,
-      authMode: "allowlist",
-      insecureAcknowledged: false,
-    });
-    expect(result.allowed).toBe(true);
-    expect(result.reason).toBeUndefined();
-  });
-
-  it("BLOCKS startup when telegram enabled but allowedUsers empty (allowlist mode)", () => {
-    const result = checkAllowedUsersGate({
-      hasTelegram: true,
-      allowedUsersCount: 0,
-      authMode: "allowlist",
-      insecureAcknowledged: false,
-    });
-    expect(result.allowed).toBe(false);
-    expect(result.reason).toContain("ALLOWED_USERS");
-  });
-
-  it("BLOCKS startup when telegram enabled but allowedUsers empty (pairing mode)", () => {
-    // Pairing mode needs allowedUsers[0] as the admin for approval routing.
-    // Empty array breaks the whole pairing flow.
-    const result = checkAllowedUsersGate({
-      hasTelegram: true,
-      allowedUsersCount: 0,
-      authMode: "pairing",
-      insecureAcknowledged: false,
-    });
-    expect(result.allowed).toBe(false);
-  });
-
-  it("ALLOWS startup when AUTH_MODE=open explicitly", () => {
-    const result = checkAllowedUsersGate({
-      hasTelegram: true,
-      allowedUsersCount: 0,
-      authMode: "open",
-      insecureAcknowledged: false,
-    });
-    expect(result.allowed).toBe(true);
-    expect(result.warning).toContain("open");
-  });
-
-  it("ALLOWS startup when ALVIN_INSECURE_ACKNOWLEDGED=1", () => {
-    const result = checkAllowedUsersGate({
-      hasTelegram: true,
-      allowedUsersCount: 0,
-      authMode: "allowlist",
-      insecureAcknowledged: true,
-    });
-    expect(result.allowed).toBe(true);
-    expect(result.warning).toContain("INSECURE");
-  });
-
-  it("ALLOWS startup when telegram is NOT enabled (bot is WebUI-only)", () => {
-    // WebUI-only deployments don't have a BOT_TOKEN and don't need
-    // ALLOWED_USERS — the gate only applies when hasTelegram === true.
-    const result = checkAllowedUsersGate({
-      hasTelegram: false,
-      allowedUsersCount: 0,
-      authMode: "allowlist",
-      insecureAcknowledged: false,
-    });
-    expect(result.allowed).toBe(true);
-  });
-
-  it("reason message mentions ~/.alvin-bot/.env and @userinfobot for operator guidance", () => {
-    const result = checkAllowedUsersGate({
-      hasTelegram: true,
-      allowedUsersCount: 0,
-      authMode: "allowlist",
-      insecureAcknowledged: false,
-    });
-    expect(result.reason).toMatch(/\.env|alvin-bot/i);
-    expect(result.reason).toMatch(/userinfobot|telegram/i);
-  });
-});

package/test/alvin-dispatch.test.ts

@@ -1,220 +0,0 @@
-/**
- * v4.13 — alvin_dispatch custom-tool service.
- *
- * `dispatchDetachedAgent(input)` spawns a truly independent `claude -p`
- * subprocess that survives the parent handler's abort. This is the
- * architectural replacement for SDK's built-in Task(run_in_background)
- * tool, which was tied to the parent SDK subprocess lifecycle.
- *
- * Contract:
- *   - Input: { prompt, description, chatId, userId, sessionKey }
- *   - Output (synchronous): { agentId, outputFile, spawned: true }
- *   - Side effect: spawns detached subprocess writing stream-json
- *     output to outputFile, registers with async-agent-watcher.
- *
- * These tests stub child_process.spawn so they run fast and deterministic.
- * The "real subprocess survives parent" property was verified empirically
- * in Phase A (see plan doc).
- */
-import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
-import os from "os";
-import fs from "fs";
-import { resolve } from "path";
-
-const TEST_DATA_DIR = resolve(
-  os.tmpdir(),
-  `alvin-dispatch-${process.pid}-${Date.now()}`,
-);
-
-interface SpawnRecord {
-  cmd: string;
-  args: string[];
-  opts: {
-    detached?: boolean;
-    stdio?: unknown;
-    cwd?: string;
-    env?: Record<string, string | undefined>;
-  };
-  unreffed: boolean;
-}
-
-let spawned: SpawnRecord[] = [];
-
-beforeEach(async () => {
-  if (fs.existsSync(TEST_DATA_DIR))
-    fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
-  fs.mkdirSync(TEST_DATA_DIR, { recursive: true });
-  process.env.ALVIN_DATA_DIR = TEST_DATA_DIR;
-  spawned = [];
-  vi.resetModules();
-
-  vi.doMock("node:child_process", async () => {
-    const actual = await vi.importActual<typeof import("node:child_process")>(
-      "node:child_process",
-    );
-    return {
-      ...actual,
-      spawn: (cmd: string, args: string[], opts: SpawnRecord["opts"]) => {
-        const record: SpawnRecord = {
-          cmd,
-          args,
-          opts,
-          unreffed: false,
-        };
-        spawned.push(record);
-        return {
-          pid: 12345,
-          unref() {
-            record.unreffed = true;
-          },
-          on() {},
-          kill() {},
-        };
-      },
-    };
-  });
-
-  vi.doMock("../src/services/subagent-delivery.js", () => ({
-    deliverSubAgentResult: async () => {},
-    attachBotApi: () => {},
-    __setBotApiForTest: () => {},
-  }));
-});
-
-afterEach(async () => {
-  try {
-    const mod = await import("../src/services/async-agent-watcher.js");
-    mod.stopWatcher();
-    mod.__resetForTest();
-  } catch {
-    /* ignore */
-  }
-});
-
-describe("dispatchDetachedAgent (v4.13)", () => {
-  it("spawns claude -p with detached: true and unrefs", async () => {
-    const mod = await import("../src/services/alvin-dispatch.js");
-    const result = mod.dispatchDetachedAgent({
-      prompt: "research X",
-      description: "X research",
-      chatId: 42,
-      userId: 42,
-      sessionKey: "s1",
-    });
-    expect(result.agentId).toMatch(/^alvin-[a-f0-9]{16,}$/);
-    expect(result.outputFile).toContain(TEST_DATA_DIR);
-    expect(result.spawned).toBe(true);
-
-    expect(spawned).toHaveLength(1);
-    const [s] = spawned;
-    expect(s.cmd).toMatch(/claude/);
-    expect(s.args).toContain("-p");
-    expect(s.args).toContain("research X");
-    expect(s.args).toContain("--output-format");
-    expect(s.args).toContain("stream-json");
-    expect(s.opts.detached).toBe(true);
-    expect(s.unreffed).toBe(true);
-  });
-
-  it("returns unique agentIds for concurrent dispatches", async () => {
-    const mod = await import("../src/services/alvin-dispatch.js");
-    const r1 = mod.dispatchDetachedAgent({
-      prompt: "a",
-      description: "a",
-      chatId: 1,
-      userId: 1,
-      sessionKey: "s1",
-    });
-    const r2 = mod.dispatchDetachedAgent({
-      prompt: "b",
-      description: "b",
-      chatId: 1,
-      userId: 1,
-      sessionKey: "s1",
-    });
-    expect(r1.agentId).not.toBe(r2.agentId);
-    expect(r1.outputFile).not.toBe(r2.outputFile);
-  });
-
-  it("registers the pending agent with the watcher", async () => {
-    const mod = await import("../src/services/alvin-dispatch.js");
-    const watcher = await import("../src/services/async-agent-watcher.js");
-
-    mod.dispatchDetachedAgent({
-      prompt: "x",
-      description: "X audit",
-      chatId: 42,
-      userId: 42,
-      sessionKey: "s1",
-    });
-
-    const pending = watcher.listPendingAgents();
-    expect(pending).toHaveLength(1);
-    expect(pending[0].description).toBe("X audit");
-    expect(pending[0].sessionKey).toBe("s1");
-  });
-
-  it("increments session.pendingBackgroundCount on dispatch", async () => {
-    const mod = await import("../src/services/alvin-dispatch.js");
-    const { getSession } = await import("../src/services/session.js");
-
-    const session = getSession("s-count");
-    session.pendingBackgroundCount = 0;
-
-    mod.dispatchDetachedAgent({
-      prompt: "p",
-      description: "d",
-      chatId: 1,
-      userId: 1,
-      sessionKey: "s-count",
-    });
-    expect(session.pendingBackgroundCount).toBe(1);
-
-    mod.dispatchDetachedAgent({
-      prompt: "p2",
-      description: "d2",
-      chatId: 1,
-      userId: 1,
-      sessionKey: "s-count",
-    });
-    expect(session.pendingBackgroundCount).toBe(2);
-  });
-
-  it("uses stdio redirect so child's stdout goes to outputFile", async () => {
-    const mod = await import("../src/services/alvin-dispatch.js");
-    mod.dispatchDetachedAgent({
-      prompt: "p",
-      description: "d",
-      chatId: 1,
-      userId: 1,
-      sessionKey: "s1",
-    });
-    const [s] = spawned;
-    // stdio should be an array with FD redirects (ignore, pipe-to-file, ignore)
-    // or similar. We verify it's NOT "inherit" (which would attach to parent).
-    expect(s.opts.stdio).not.toBe("inherit");
-    expect(s.opts.stdio).not.toBe(undefined);
-  });
-
-  it("cleans env of CLAUDECODE/CLAUDE_CODE_ENTRYPOINT to prevent nested session errors", async () => {
-    const mod = await import("../src/services/alvin-dispatch.js");
-    process.env.CLAUDECODE = "1";
-    process.env.CLAUDE_CODE_ENTRYPOINT = "cli";
-    try {
-      mod.dispatchDetachedAgent({
-        prompt: "p",
-        description: "d",
-        chatId: 1,
-        userId: 1,
-        sessionKey: "s1",
-      });
-      const [s] = spawned;
-      expect(s.opts.env).toBeDefined();
-      expect(s.opts.env?.CLAUDECODE).toBeUndefined();
-      expect(s.opts.env?.CLAUDE_CODE_ENTRYPOINT).toBeUndefined();
-    } finally {
-      delete process.env.CLAUDECODE;
-      delete process.env.CLAUDE_CODE_ENTRYPOINT;
-    }
-  });
-});