brepjs-verify 0.8.0 → 0.24.1

package/README.md

@@ -2,11 +2,11 @@
 
 Agent skill + verify/preview tooling for authoring parametric CAD with [brepjs](https://github.com/andymai/brepjs).
 
-It ships as **two cooperating pieces on two rails** — install both.
+It ships as **two cooperating pieces on two rails**; install both.
 
 ## 1. The skill (Claude Code plugin)
 
-Teaches an agent the authoring workflow. Delivered via the brepjs marketplace (git), **not** npm — Claude Code discovers skills from plugins, never from `node_modules`:
+Teaches an agent the authoring workflow. Delivered via the brepjs marketplace (git), **not** npm. Claude Code discovers skills from plugins, never from `node_modules`:
 
 ```
 /plugin marketplace add andymai/brepjs
@@ -23,10 +23,10 @@ npm i -D brepjs-verify brepjs occt-wasm
 
 ## API reference
 
-The package bundles brepjs's full API reference for offline/agent use — the complete export surface with signatures and examples:
+The package bundles brepjs's full API reference for offline/agent use: the complete export surface with signatures and examples:
 
-- `reference/llms-full.txt` — every export, full signatures (the deep reference)
-- `reference/llms.txt` — the same content as a quicker index
+- `reference/llms-full.txt`: every export, full signatures (the deep reference)
+- `reference/llms.txt`: the same content as a quicker index
 
 Point your agent at `node_modules/brepjs-verify/reference/llms-full.txt` for anything the skill's curated references don't cover.
 
@@ -51,7 +51,7 @@ npx -y brepjs-verify part.brep.ts --serve --no-open                     # previe
 
 `--snapshot`/`--serve` use the bundled viewer (shipped under `viewer/dist`, including the OCCT WASM). The `--serve` link is interactive: a toolbar offers view presets + fit, solid/wireframe/x-ray modes, edge/grid toggles, a turntable, click-to-inspect face picking, a section/clipping plane, a measurements panel, and an in-browser PNG screenshot. `--snapshot` loads the same page with `ui=0` to suppress the toolbar, and burns the bounding-box size into each PNG (`dims=1`) so the agent can read scale from the image.
 
-`--serve` prints the viewer URL and, in an interactive terminal, opens it in your default browser. Auto-open is skipped when it would be unwanted — when the server is reused (a tab is already open), under CI, when output is piped (non-TTY, e.g. agent runs), or on Linux with no display server. Pass `--no-open` to always suppress it.
+`--serve` prints the viewer URL and, in an interactive terminal, opens it in your default browser. Auto-open is skipped when it would be unwanted: when the server is reused (a tab is already open), under CI, when output is piped (non-TTY, e.g. agent runs), or on Linux with no display server. Pass `--no-open` to always suppress it.
 
 ## CLI reference
 
@@ -65,8 +65,8 @@ The `brepjs-verify` bin is a multi-command CLI. `verify` is the default command,
 | `brepjs-verify export <file>`   | Batch artifacts behind a validity gate: `--step`, `--glb`, `--stl`, or `--all`; `--out <dir>` (default `.`). Exits non-zero on failure.                                                                                                                                                            |
 | `brepjs-verify measure <a> [b]` | Measurements for one part; with a second module, the distance between the two parts.                                                                                                                                                                                                               |
 | `brepjs-verify diff <a> <b>`    | Compares the measurements of a baseline and a comparison module.                                                                                                                                                                                                                                   |
-| `brepjs-verify snapshot`        | Multi-view PNG capture — surfaced via `verify --snapshot <dir>`. Requires the optional `puppeteer`/Chrome dependency; degrades with a clear message when absent.                                                                                                                                   |
-| `brepjs-verify serve`           | Preview server with a `?dir=&file=` deep link — surfaced via `verify --serve`. Auto-opens the browser in an interactive terminal (suppressed under CI / non-TTY / no display, or with `--no-open`).                                                                                                |
+| `brepjs-verify snapshot`        | Multi-view PNG capture, surfaced via `verify --snapshot <dir>`. Requires the optional `puppeteer`/Chrome dependency; degrades with a clear message when absent.                                                                                                                                    |
+| `brepjs-verify serve`           | Preview server with a `?dir=&file=` deep link, surfaced via `verify --serve`. Auto-opens the browser in an interactive terminal (suppressed under CI / non-TTY / no display, or with `--no-open`).                                                                                                 |
 
 Every command writes a single machine-readable JSON document to stdout; diagnostics (paths, kernel chatter, watch notices) go to stderr.
 
@@ -82,7 +82,7 @@ This is the closed _build → verify_ loop as a single call: the agent sends par
 
 ### Connect (local build)
 
-Build the package, then register the server by absolute path. Run both commands from the package root (`packages/brepjs-verify`), where `dist/` is emitted — `$(pwd)` is resolved by your shell at that location:
+Build the package, then register the server by absolute path. Run both commands from the package root (`packages/brepjs-verify`), where `dist/` is emitted. `$(pwd)` is resolved by your shell at that location:
 
 ```bash
 npm run build   # emits dist/mcp/server.js
@@ -95,24 +95,24 @@ Once the package is published to npm, the same server is available without a loc
 claude mcp add brepjs-verify -- npx -y --package brepjs-verify brepjs-verify-mcp
 ```
 
-The server runs locally as a child process of your agent (stdio) — geometry never leaves your machine.
+The server runs locally as a child process of your agent (stdio); geometry never leaves your machine.
 
 ## Examples gallery
 
 Few-shot examples live under `skill/examples/<name>.brep.ts`, each with a `<name>.expected.json` baseline. Grouped by category:
 
-- **Primitives + booleans** — `mounting-bracket`, `flanged-coupler`, `transform-bracket`
-- **2D sketch → solid** — `extruded-bracket` (extrude), `revolved-pulley` (revolve), `swept-gasket` (sweep)
-- **Modifiers** — `rounded-block` (fillet), `chamfered-block` (chamfer), `hollow-enclosure` (shell)
-- **Gridfinity primitives** — `gridfinity-baseplate`, `gridfinity-bin`, `gridfinity-divider`
+- **Primitives + booleans**: `mounting-bracket`, `flanged-coupler`, `transform-bracket`
+- **2D sketch → solid**: `extruded-bracket` (extrude), `revolved-pulley` (revolve), `swept-gasket` (sweep)
+- **Modifiers**: `rounded-block` (fillet), `chamfered-block` (chamfer), `hollow-enclosure` (shell)
+- **Gridfinity primitives**: `gridfinity-baseplate`, `gridfinity-bin`, `gridfinity-divider`
 
 ## Eval / scorecard
 
-`npm run eval` (`bench/run.ts`) replays every `skill/examples/*.brep.ts` with a sibling `*.expected.json` through the public `runPart` runtime, compares measured volume/area/validity/shape-type against the recorded baseline within each file's tolerance (default 0.5%), prints a PASS/FAIL scorecard, and exits non-zero on any regression. It is deterministic — no LLM or API key — so it runs in CI as the package's regression net. Refresh a baseline by re-recording the example's `*.expected.json` after an intentional geometry change.
+`npm run eval` (`bench/run.ts`) replays every `skill/examples/*.brep.ts` with a sibling `*.expected.json` through the public `runPart` runtime, compares measured volume/area/validity/shape-type against the recorded baseline within each file's tolerance (default 0.5%), prints a PASS/FAIL scorecard, and exits non-zero on any regression. It is deterministic (no LLM or API key) so it runs in CI as the package's regression net. Refresh a baseline by re-recording the example's `*.expected.json` after an intentional geometry change.
 
 ### Live eval (`npm run eval:live`)
 
-The measurement flywheel: sends ~18 natural-language part prompts (`bench/prompts.ts`) to a real model — using the **deployed `SKILL.md` as the system prompt**, so it measures the actual skill — then verifies each generated part two ways:
+The measurement flywheel: sends ~18 natural-language part prompts (`bench/prompts.ts`) to a real model (using the **deployed `SKILL.md` as the system prompt**, so it measures the actual skill), then verifies each generated part two ways:
 
 - **Auto (objective):** `runPart --check` → valid solid + any pinned dims within tolerance.
 - **Judge (intent):** a multimodal Claude call looks at the rendered iso/front/top/right snapshots and decides whether the part matches the request + rubric.
@@ -125,7 +125,7 @@ ANTHROPIC_API_KEY=sk-... npm run eval:live -w brepjs-verify -- --model claude-so
 #   --only <id|category>   run a subset      --keep   keep the generated parts
 ```
 
-Opt-in and **billed** (real API calls), so it does _not_ run in CI — the deterministic replay above is the CI gate. Snapshots (hence the judge) need `puppeteer`/Chrome; without them the run scores on auto-verify alone and notes the skipped judge.
+Opt-in and **billed** (real API calls), so it does _not_ run in CI; the deterministic replay above is the CI gate. Snapshots (hence the judge) need `puppeteer`/Chrome; without them the run scores on auto-verify alone and notes the skipped judge.
 
 ## Programmatic API
 
@@ -138,4 +138,4 @@ console.log(serializeReport(report)); // { ok, shapeType, checks, measurements,
 
 ## How verification works
 
-Deterministic checks are the source of truth — validity brands (`validSolid`), `measureVolume`/`measureArea`, and bounding box — surfaced as a JSON report. Multi-view PNG snapshots are a diagnostic layer, never a substitute for a measurement. STEP is the primary, validated artifact; GLB/STL are derived previews.
+Deterministic checks are the source of truth (validity brands (`validSolid`), `measureVolume`/`measureArea`, and bounding box) surfaced as a JSON report. Multi-view PNG snapshots are a diagnostic layer, never a substitute for a measurement. STEP is the primary, validated artifact; GLB/STL are derived previews.

package/dist/brepjs-verify.cjs

@@ -1,5 +1,5 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const require_diff = require("./diff-DDEu6YJM.cjs");
+const require_diff = require("./diff-3ivpxBET.cjs");
 exports.DEFAULT_TOLERANCE_PCT = require_diff.DEFAULT_TOLERANCE_PCT;
 exports.TYPECHECK_CODE = require_diff.TYPECHECK_CODE;
 exports.emptyReport = require_diff.emptyReport;

package/dist/brepjs-verify.js

@@ -1,2 +1,2 @@
-import { a as typecheckPart, c as isExpectedDims, d as emptyReport, i as TYPECHECK_CODE, l as pctDelta, m as serializeReport, n as runMeasure, o as DEFAULT_TOLERANCE_PCT, r as runPart, s as evaluateExpected, t as runDiff, u as runChecks } from "./diff-BCECMYSQ.js";
+import { a as typecheckPart, c as isExpectedDims, d as emptyReport, i as TYPECHECK_CODE, l as pctDelta, m as serializeReport, n as runMeasure, o as DEFAULT_TOLERANCE_PCT, r as runPart, s as evaluateExpected, t as runDiff, u as runChecks } from "./diff-DyilrTFJ.js";
 export { DEFAULT_TOLERANCE_PCT, TYPECHECK_CODE, emptyReport, evaluateExpected, isExpectedDims, pctDelta, runChecks, runDiff, runMeasure, runPart, serializeReport, typecheckPart };

package/dist/cli/main.cjs

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const require_diff = require("../diff-DDEu6YJM.cjs");
+const require_diff = require("../diff-3ivpxBET.cjs");
 let node_url = require("node:url");
 let node_fs = require("node:fs");
 let node_path = require("node:path");

package/dist/cli/main.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { f as pushError, h as loadBrep, m as serializeReport, n as runMeasure, p as reportOk, r as runPart, t as runDiff } from "../diff-BCECMYSQ.js";
+import { f as pushError, h as loadBrep, m as serializeReport, n as runMeasure, p as reportOk, r as runPart, t as runDiff } from "../diff-DyilrTFJ.js";
 import { fileURLToPath } from "node:url";
 import { existsSync, mkdirSync, realpathSync, watch, writeFileSync } from "node:fs";
 import { basename, dirname, join, resolve } from "node:path";

package/dist/{diff-DDEu6YJM.cjs → diff-3ivpxBET.cjs}

@@ -738,7 +738,7 @@ async function runPart(modulePath, opts = {}) {
 	});
 }
 //#endregion
-//#region \0@oxc-project+runtime@0.132.0/helpers/usingCtx.js
+//#region \0@oxc-project+runtime@0.133.0/helpers/esm/usingCtx.js
 function _usingCtx() {
 	var r = "function" == typeof SuppressedError ? SuppressedError : function(r, e) {
 		var n = Error();

package/dist/{diff-BCECMYSQ.js → diff-DyilrTFJ.js}

@@ -736,7 +736,7 @@ async function runPart(modulePath, opts = {}) {
 	});
 }
 //#endregion
-//#region \0@oxc-project+runtime@0.132.0/helpers/usingCtx.js
+//#region \0@oxc-project+runtime@0.133.0/helpers/esm/usingCtx.js
 function _usingCtx() {
 	var r = "function" == typeof SuppressedError ? SuppressedError : function(r, e) {
 		var n = Error();

package/dist/mcp/server.cjs

@@ -8,7 +8,6 @@ let node_fs_promises = require("node:fs/promises");
 let _modelcontextprotocol_sdk_server_index_js = require("@modelcontextprotocol/sdk/server/index.js");
 let _modelcontextprotocol_sdk_server_stdio_js = require("@modelcontextprotocol/sdk/server/stdio.js");
 let _modelcontextprotocol_sdk_types_js = require("@modelcontextprotocol/sdk/types.js");
-let node_util = require("node:util");
 let node_crypto = require("node:crypto");
 //#region src/sandbox/runProgram.ts
 /**
@@ -20,11 +19,22 @@ let node_crypto = require("node:crypto");
 * rather than hanging or crashing the host. Results cross the boundary as serialized JSON (never
 * live WASM handles), and the temp program directory is always cleaned up.
 */
-var execFileAsync = (0, node_util.promisify)(node_child_process.execFile);
 var DEFAULT_TIMEOUT_MS = 3e4;
 var DEFAULT_MAX_MEMORY_MB = 2048;
 var MAX_OUTPUT_BYTES = 8 * 1024 * 1024;
 /**
+* In-flight sandbox process *groups*, keyed by group-leader pid. Tracked so a dying host can reap
+* its runs (see installSandboxShutdownHandlers) — the per-run timeout can't, since its timer dies
+* with the host.
+*/
+var activeGroups = /* @__PURE__ */ new Set();
+/** SIGKILL (or `signal`) an entire detached process group by its leader pid; ignore if already gone. */
+function killGroup(pid, signal) {
+	try {
+		process.kill(process.platform === "win32" ? pid : -pid, signal);
+	} catch {}
+}
+/**
 * Clamp a caller-supplied limit to a positive, finite value, falling back to the default otherwise.
 * Critical for the timeout: Node's `execFile` treats `timeout: 0` (and it ignores negatives) as
 * "no timeout", which would silently disable the sandbox's only runaway protection.
@@ -53,39 +63,14 @@ async function runVerifyCli(code, makeArgs, opts) {
 		const partPath = (0, node_path.join)(dir, "part.brep.ts");
 		await (0, node_fs_promises.writeFile)(partPath, code);
 		const cliArgs = makeArgs(partPath);
-		const cmd = useTsx ? "npx" : process.execPath;
-		const args = useTsx ? [
+		return await spawnCliOutcome(useTsx ? "npx" : process.execPath, useTsx ? [
 			"tsx",
 			cliEntry,
 			...cliArgs
-		] : [cliEntry, ...cliArgs];
-		try {
-			const { stdout, stderr } = await execFileAsync(cmd, args, {
-				timeout: timeoutMs,
-				killSignal: "SIGKILL",
-				maxBuffer: MAX_OUTPUT_BYTES,
-				env: {
-					...process.env,
-					NODE_OPTIONS: [process.env["NODE_OPTIONS"], `--max-old-space-size=${maxMemoryMb}`].filter(Boolean).join(" ")
-				}
-			});
-			return {
-				stdout,
-				stderr,
-				timedOut: false,
-				outputTooLarge: false,
-				exitCode: 0
-			};
-		} catch (err) {
-			const e = err;
-			return {
-				stdout: e.stdout ?? "",
-				stderr: e.stderr ?? (err instanceof Error ? err.message : String(err)),
-				timedOut: Boolean(e.killed) && e.code !== "ERR_CHILD_PROCESS_STDIO_MAXBUFFER",
-				outputTooLarge: e.code === "ERR_CHILD_PROCESS_STDIO_MAXBUFFER",
-				exitCode: typeof e.code === "number" ? e.code : null
-			};
-		}
+		] : [cliEntry, ...cliArgs], {
+			...process.env,
+			NODE_OPTIONS: [process.env["NODE_OPTIONS"], `--max-old-space-size=${maxMemoryMb}`].filter(Boolean).join(" ")
+		}, timeoutMs);
 	} finally {
 		await (0, node_fs_promises.rm)(dir, {
 			recursive: true,
@@ -93,6 +78,109 @@ async function runVerifyCli(code, makeArgs, opts) {
 		});
 	}
 }
+/**
+* Spawn the verify CLI in its OWN process group and enforce the wall-clock budget by SIGKILLing the
+* WHOLE group on timeout — not just the direct child.
+*
+* Why a process group rather than Node's built-in `execFile` timeout: in dev/test the CLI runs as
+* `npx tsx <main.ts>`, so the process that actually executes the part (and can spin on a CPU-bound
+* OCCT op) is a *grandchild* behind npx+tsx. `child_process`' `timeout`/`killSignal` signals only
+* the direct child, so a fired timeout SIGKILLs `npx` and orphans the still-spinning grandchild
+* forever (it reparents to init and keeps burning a core). Spawning `detached` makes the child a
+* process-group leader that npx's descendants inherit, so `process.kill(-pid, …)` reaps the entire
+* tree. The production path (`node dist/cli/main.js`) has no intermediary, but the group kill is
+* equally correct there.
+*/
+function spawnCliOutcome(cmd, args, env, timeoutMs) {
+	return new Promise((resolve) => {
+		const child = (0, node_child_process.spawn)(cmd, args, {
+			env,
+			detached: true,
+			stdio: [
+				"ignore",
+				"pipe",
+				"pipe"
+			]
+		});
+		if (child.pid !== void 0) activeGroups.add(child.pid);
+		let stdout = "";
+		let stderr = "";
+		let stdoutBytes = 0;
+		let timedOut = false;
+		let outputTooLarge = false;
+		let settled = false;
+		const killTree = (signal) => {
+			if (child.pid !== void 0) killGroup(child.pid, signal);
+		};
+		const timer = setTimeout(() => {
+			timedOut = true;
+			killTree("SIGKILL");
+		}, timeoutMs);
+		child.stdout?.on("data", (chunk) => {
+			if (outputTooLarge) return;
+			stdoutBytes += chunk.length;
+			if (stdoutBytes > MAX_OUTPUT_BYTES) {
+				outputTooLarge = true;
+				killTree("SIGKILL");
+				return;
+			}
+			stdout += chunk.toString();
+		});
+		let stderrBytes = 0;
+		child.stderr?.on("data", (chunk) => {
+			stderrBytes += chunk.length;
+			if (stderrBytes <= MAX_OUTPUT_BYTES) stderr += chunk.toString();
+		});
+		const finish = (exitCode) => {
+			if (settled) return;
+			settled = true;
+			clearTimeout(timer);
+			if (child.pid !== void 0) activeGroups.delete(child.pid);
+			resolve({
+				stdout,
+				stderr,
+				timedOut,
+				outputTooLarge,
+				exitCode
+			});
+		};
+		child.on("error", (err) => {
+			if (!stderr) stderr = err.message;
+			finish(null);
+		});
+		child.on("close", (code) => finish(code));
+	});
+}
+/** SIGKILL every in-flight sandbox process group now. Exported so a host can reap explicitly. */
+function killActiveSandboxes(signal = "SIGKILL") {
+	for (const pid of activeGroups) killGroup(pid, signal);
+	activeGroups.clear();
+}
+var shutdownHandlersInstalled = false;
+/**
+* Install process-shutdown hooks that reap any in-flight sandbox process groups when THIS process
+* (the host — e.g. the MCP server) terminates. Idempotent; call once at startup from an entrypoint.
+*
+* Rationale: the per-run timeout (`spawnCliOutcome`) only protects a run while the host is alive —
+* its timer dies with the host. If the host is stopped (the agent disconnects) before a run's
+* budget elapses, the `detached` sandbox group is in its own session and survives, burning a core
+* indefinitely. These hooks SIGKILL every tracked group on the way down so a dying host doesn't
+* leak its children. (A hard SIGKILL of the host can't be trapped — that residual needs the kernel's
+* PR_SET_PDEATHSIG, which Node doesn't expose.)
+*/
+function installSandboxShutdownHandlers() {
+	if (shutdownHandlersInstalled) return;
+	shutdownHandlersInstalled = true;
+	process.on("exit", () => killActiveSandboxes("SIGKILL"));
+	process.once("SIGTERM", () => {
+		killActiveSandboxes("SIGKILL");
+		process.exit(143);
+	});
+	process.once("SIGINT", () => {
+		killActiveSandboxes("SIGKILL");
+		process.exit(130);
+	});
+}
 function tryParse(out) {
 	if (!out.trim()) return null;
 	try {
@@ -346,6 +434,7 @@ async function exportPartTool(args) {
 * "build → verify" step the agent loop is built on. Uses the SDK's low-level `Server` with plain
 * JSON-Schema tool definitions (no direct zod dependency in this package).
 */
+installSandboxShutdownHandlers();
 var pkgPath = (0, node_path.join)((0, node_path.dirname)((0, node_url.fileURLToPath)({}.url)), "..", "..", "package.json");
 var server = new _modelcontextprotocol_sdk_server_index_js.Server({
 	name: "brepjs-verify",

package/dist/mcp/server.js

@@ -3,12 +3,11 @@ import { fileURLToPath } from "node:url";
 import { existsSync, readFileSync } from "node:fs";
 import { dirname, join } from "node:path";
 import { tmpdir } from "node:os";
-import { execFile } from "node:child_process";
+import { spawn } from "node:child_process";
 import { appendFile, mkdtemp, rm, writeFile } from "node:fs/promises";
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js";
-import { promisify } from "node:util";
 import { createHash } from "node:crypto";
 //#region src/sandbox/runProgram.ts
 /**
@@ -20,11 +19,22 @@ import { createHash } from "node:crypto";
 * rather than hanging or crashing the host. Results cross the boundary as serialized JSON (never
 * live WASM handles), and the temp program directory is always cleaned up.
 */
-var execFileAsync = promisify(execFile);
 var DEFAULT_TIMEOUT_MS = 3e4;
 var DEFAULT_MAX_MEMORY_MB = 2048;
 var MAX_OUTPUT_BYTES = 8 * 1024 * 1024;
 /**
+* In-flight sandbox process *groups*, keyed by group-leader pid. Tracked so a dying host can reap
+* its runs (see installSandboxShutdownHandlers) — the per-run timeout can't, since its timer dies
+* with the host.
+*/
+var activeGroups = /* @__PURE__ */ new Set();
+/** SIGKILL (or `signal`) an entire detached process group by its leader pid; ignore if already gone. */
+function killGroup(pid, signal) {
+	try {
+		process.kill(process.platform === "win32" ? pid : -pid, signal);
+	} catch {}
+}
+/**
 * Clamp a caller-supplied limit to a positive, finite value, falling back to the default otherwise.
 * Critical for the timeout: Node's `execFile` treats `timeout: 0` (and it ignores negatives) as
 * "no timeout", which would silently disable the sandbox's only runaway protection.
@@ -53,39 +63,14 @@ async function runVerifyCli(code, makeArgs, opts) {
 		const partPath = join(dir, "part.brep.ts");
 		await writeFile(partPath, code);
 		const cliArgs = makeArgs(partPath);
-		const cmd = useTsx ? "npx" : process.execPath;
-		const args = useTsx ? [
+		return await spawnCliOutcome(useTsx ? "npx" : process.execPath, useTsx ? [
 			"tsx",
 			cliEntry,
 			...cliArgs
-		] : [cliEntry, ...cliArgs];
-		try {
-			const { stdout, stderr } = await execFileAsync(cmd, args, {
-				timeout: timeoutMs,
-				killSignal: "SIGKILL",
-				maxBuffer: MAX_OUTPUT_BYTES,
-				env: {
-					...process.env,
-					NODE_OPTIONS: [process.env["NODE_OPTIONS"], `--max-old-space-size=${maxMemoryMb}`].filter(Boolean).join(" ")
-				}
-			});
-			return {
-				stdout,
-				stderr,
-				timedOut: false,
-				outputTooLarge: false,
-				exitCode: 0
-			};
-		} catch (err) {
-			const e = err;
-			return {
-				stdout: e.stdout ?? "",
-				stderr: e.stderr ?? (err instanceof Error ? err.message : String(err)),
-				timedOut: Boolean(e.killed) && e.code !== "ERR_CHILD_PROCESS_STDIO_MAXBUFFER",
-				outputTooLarge: e.code === "ERR_CHILD_PROCESS_STDIO_MAXBUFFER",
-				exitCode: typeof e.code === "number" ? e.code : null
-			};
-		}
+		] : [cliEntry, ...cliArgs], {
+			...process.env,
+			NODE_OPTIONS: [process.env["NODE_OPTIONS"], `--max-old-space-size=${maxMemoryMb}`].filter(Boolean).join(" ")
+		}, timeoutMs);
 	} finally {
 		await rm(dir, {
 			recursive: true,
@@ -93,6 +78,109 @@ async function runVerifyCli(code, makeArgs, opts) {
 		});
 	}
 }
+/**
+* Spawn the verify CLI in its OWN process group and enforce the wall-clock budget by SIGKILLing the
+* WHOLE group on timeout — not just the direct child.
+*
+* Why a process group rather than Node's built-in `execFile` timeout: in dev/test the CLI runs as
+* `npx tsx <main.ts>`, so the process that actually executes the part (and can spin on a CPU-bound
+* OCCT op) is a *grandchild* behind npx+tsx. `child_process`' `timeout`/`killSignal` signals only
+* the direct child, so a fired timeout SIGKILLs `npx` and orphans the still-spinning grandchild
+* forever (it reparents to init and keeps burning a core). Spawning `detached` makes the child a
+* process-group leader that npx's descendants inherit, so `process.kill(-pid, …)` reaps the entire
+* tree. The production path (`node dist/cli/main.js`) has no intermediary, but the group kill is
+* equally correct there.
+*/
+function spawnCliOutcome(cmd, args, env, timeoutMs) {
+	return new Promise((resolve) => {
+		const child = spawn(cmd, args, {
+			env,
+			detached: true,
+			stdio: [
+				"ignore",
+				"pipe",
+				"pipe"
+			]
+		});
+		if (child.pid !== void 0) activeGroups.add(child.pid);
+		let stdout = "";
+		let stderr = "";
+		let stdoutBytes = 0;
+		let timedOut = false;
+		let outputTooLarge = false;
+		let settled = false;
+		const killTree = (signal) => {
+			if (child.pid !== void 0) killGroup(child.pid, signal);
+		};
+		const timer = setTimeout(() => {
+			timedOut = true;
+			killTree("SIGKILL");
+		}, timeoutMs);
+		child.stdout?.on("data", (chunk) => {
+			if (outputTooLarge) return;
+			stdoutBytes += chunk.length;
+			if (stdoutBytes > MAX_OUTPUT_BYTES) {
+				outputTooLarge = true;
+				killTree("SIGKILL");
+				return;
+			}
+			stdout += chunk.toString();
+		});
+		let stderrBytes = 0;
+		child.stderr?.on("data", (chunk) => {
+			stderrBytes += chunk.length;
+			if (stderrBytes <= MAX_OUTPUT_BYTES) stderr += chunk.toString();
+		});
+		const finish = (exitCode) => {
+			if (settled) return;
+			settled = true;
+			clearTimeout(timer);
+			if (child.pid !== void 0) activeGroups.delete(child.pid);
+			resolve({
+				stdout,
+				stderr,
+				timedOut,
+				outputTooLarge,
+				exitCode
+			});
+		};
+		child.on("error", (err) => {
+			if (!stderr) stderr = err.message;
+			finish(null);
+		});
+		child.on("close", (code) => finish(code));
+	});
+}
+/** SIGKILL every in-flight sandbox process group now. Exported so a host can reap explicitly. */
+function killActiveSandboxes(signal = "SIGKILL") {
+	for (const pid of activeGroups) killGroup(pid, signal);
+	activeGroups.clear();
+}
+var shutdownHandlersInstalled = false;
+/**
+* Install process-shutdown hooks that reap any in-flight sandbox process groups when THIS process
+* (the host — e.g. the MCP server) terminates. Idempotent; call once at startup from an entrypoint.
+*
+* Rationale: the per-run timeout (`spawnCliOutcome`) only protects a run while the host is alive —
+* its timer dies with the host. If the host is stopped (the agent disconnects) before a run's
+* budget elapses, the `detached` sandbox group is in its own session and survives, burning a core
+* indefinitely. These hooks SIGKILL every tracked group on the way down so a dying host doesn't
+* leak its children. (A hard SIGKILL of the host can't be trapped — that residual needs the kernel's
+* PR_SET_PDEATHSIG, which Node doesn't expose.)
+*/
+function installSandboxShutdownHandlers() {
+	if (shutdownHandlersInstalled) return;
+	shutdownHandlersInstalled = true;
+	process.on("exit", () => killActiveSandboxes("SIGKILL"));
+	process.once("SIGTERM", () => {
+		killActiveSandboxes("SIGKILL");
+		process.exit(143);
+	});
+	process.once("SIGINT", () => {
+		killActiveSandboxes("SIGKILL");
+		process.exit(130);
+	});
+}
 function tryParse(out) {
 	if (!out.trim()) return null;
 	try {
@@ -346,6 +434,7 @@ async function exportPartTool(args) {
 * "build → verify" step the agent loop is built on. Uses the SDK's low-level `Server` with plain
 * JSON-Schema tool definitions (no direct zod dependency in this package).
 */
+installSandboxShutdownHandlers();
 var pkgPath = join(dirname(fileURLToPath(import.meta.url)), "..", "..", "package.json");
 var server = new Server({
 	name: "brepjs-verify",

package/dist/sandbox/runProgram.d.ts

@@ -53,6 +53,20 @@ export interface ExportFormats {
  * "no timeout", which would silently disable the sandbox's only runaway protection.
  */
 export declare function positiveOrDefault(value: number | undefined, fallback: number): number;
+/** SIGKILL every in-flight sandbox process group now. Exported so a host can reap explicitly. */
+export declare function killActiveSandboxes(signal?: NodeJS.Signals): void;
+/**
+ * Install process-shutdown hooks that reap any in-flight sandbox process groups when THIS process
+ * (the host — e.g. the MCP server) terminates. Idempotent; call once at startup from an entrypoint.
+ *
+ * Rationale: the per-run timeout (`spawnCliOutcome`) only protects a run while the host is alive —
+ * its timer dies with the host. If the host is stopped (the agent disconnects) before a run's
+ * budget elapses, the `detached` sandbox group is in its own session and survives, burning a core
+ * indefinitely. These hooks SIGKILL every tracked group on the way down so a dying host doesn't
+ * leak its children. (A hard SIGKILL of the host can't be trapped — that residual needs the kernel's
+ * PR_SET_PDEATHSIG, which Node doesn't expose.)
+ */
+export declare function installSandboxShutdownHandlers(): void;
 /** Execute `code` (an agent-authored `.brep.ts` module) in an isolated, resource-bounded child. */
 export declare function runProgram(code: string, opts?: RunProgramOptions): Promise<RunProgramResult>;
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "brepjs-verify",
-  "version": "0.8.0",
+  "version": "0.24.1",
   "description": "Agent skill + verify/preview tooling for authoring parametric brepjs CAD code",
   "license": "Apache-2.0",
   "type": "module",
@@ -53,9 +53,8 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "1.29.0",
-    "@types/node": "^25.9.1",
-    "brepjs": "^18.0.0",
-    "commander": "^13.0.0",
+    "brepjs": "^18.83.2",
+    "commander": "^15.0.0",
     "occt-wasm": "^3.0.0",
     "typescript": "^6.0.3"
   },
@@ -63,20 +62,20 @@
     "puppeteer": "^25.0.4"
   },
   "devDependencies": {
-    "@anthropic-ai/sdk": "0.100.1",
+    "@anthropic-ai/sdk": "0.102.0",
     "@react-three/drei": "^10.7.7",
     "@react-three/fiber": "^9.6.1",
-    "@types/node": "^25.9.1",
+    "@types/node": "25.9.2",
     "@types/react": "^19.2.15",
     "@types/react-dom": "^19.2.3",
     "@types/three": "^0.184.1",
     "@vitejs/plugin-react": "^6.0.2",
     "brepjs-viewer": "*",
     "eslint": "^10.4.0",
-    "react": "^19.2.6",
-    "react-dom": "^19.2.6",
+    "react": "19.2.7",
+    "react-dom": "19.2.7",
     "three": "^0.184.0",
-    "tsx": "^4.22.3",
+    "tsx": "4.22.4",
     "vite": "^8.0.0",
     "vite-plugin-dts": "^5.0.1",
     "vitest": "^4.0.0",