claude-code-session-manager 0.21.2 → 0.21.3

package/src/main/ipcSchemas.cjs

@@ -394,35 +394,64 @@ function validated(schema, handler) {
 }
 
 // ──────────────────────────────────────────── Web Remote command allowlist
-// Single source of truth — imported by webRemote.cjs and by the unit test.
-// Only these type strings will ever reach a handler; all others are silently
-// dropped without leaking error details back to the relay (ADR §6.2).
-const ALLOWED_COMMANDS = new Set([
+// Commands are split into three tiers:
+//   READ_COMMANDS      — return data; allowed when remoteEnabled=true.
+//   SAS_GATED_READS    — return sensitive user data (sessions, PRDs, logs,
+//                        transcript summaries); additionally require
+//                        _e2eAuthenticated=true (SAS confirmed by user).
+//                        A compromised relay cannot exfiltrate this data from
+//                        a session that has not been SAS-confirmed.
+//   MUTATE_COMMANDS    — write files, spawn processes, or mutate persisted
+//                        state; gated behind remoteControlEnabled=true AND
+//                        _e2eAuthenticated=true.
+// ALLOWED_COMMANDS is the union, kept for existing import compatibility.
+//
+// Ungated READ_COMMANDS (justify each):
+//   cmd:app:version      — exposes only the app semver string; no user data.
+//   cmd:session:unsubscribe — teardown lifecycle; returns nothing sensitive.
+const READ_COMMANDS = new Set([
+  'cmd:app:version',
+  // v2 mobile: unsubscribe is a teardown lifecycle call with no data payload.
+  'cmd:session:unsubscribe',
+]);
+
+// Sensitive reads — return user data; require SAS confirmation same as MUTATE.
+const SAS_GATED_READS = new Set([
   'cmd:sessions:load',
+  'cmd:schedule:state',
+  'cmd:schedule:read-prd',
+  'cmd:schedule:read-log',
+  'cmd:history:aggregate',
+  // subscribe initiates a live stream of session state/summary — sensitive.
+  'cmd:session:subscribe',
+]);
+
+const MUTATE_COMMANDS = new Set([
   'cmd:sessions:save',
   'cmd:pty:spawn',
   'cmd:pty:write',
-  'cmd:pty:resize',
+  // pty:kill terminates a live session; pty:resize drives the geometry of the
+  // user's interactive PTY — both write live process state, so they are gated
+  // behind remoteControlEnabled + SAS like every other mutation. A read-only
+  // mobile mirror has no business killing or resizing the desktop's session.
   'cmd:pty:kill',
-  'cmd:schedule:state',
-  'cmd:schedule:read-prd',
-  'cmd:schedule:read-log',
+  'cmd:pty:resize',
   'cmd:schedule:write-prd',
   'cmd:schedule:reset-job',
   'cmd:schedule:run-now',
   'cmd:schedule:set-config',
-  'cmd:history:aggregate',
-  'cmd:app:version',
-  // v2 mobile: per-session live state + summary push (ARCHITECTURE-V2-MOBILE.md §3)
-  'cmd:session:subscribe',
-  'cmd:session:unsubscribe',
 ]);
 
+const ALLOWED_COMMANDS = new Set([...READ_COMMANDS, ...SAS_GATED_READS, ...MUTATE_COMMANDS]);
+
 module.exports = {
   // Centralized slug regex — used by scheduler.cjs and queueOps.cjs for
   // direct test()/match() containment checks alongside the zod parses.
   SCHEDULE_SLUG_RE,
   SCHEDULE_RUN_ID_RE,
+  READ_COMMANDS,
+  SAS_GATED_READS,
+  MUTATE_COMMANDS,
   ALLOWED_COMMANDS,
   schemas: {
     webRemotePair,

package/src/main/kg.cjs

@@ -39,16 +39,24 @@ const path = require('node:path');
 const os = require('node:os');
 const { resolveClaudeBin } = require('./lib/claudeBin.cjs');
 const { encodeCwd } = require('./lib/encodeCwd.cjs');
+const { writeJson } = require('./config.cjs');
 
 const HOME = os.homedir();
 const KG_DIR = path.join(HOME, '.claude', 'knowledge-log');
 const LOG_PATH = path.join(KG_DIR, 'prompts.jsonl');
 const GRAPHS_DIR = path.join(KG_DIR, 'graphs');
 const INGEST_STATE_PATH = path.join(KG_DIR, 'ingest-state.json');
+const PROMPT_INDEX_PATH = path.join(KG_DIR, 'prompt-index.json');
 const BATCH = 20;                 // prompts per extraction call (also a per-project cap)
 const KNOWN_VOCAB = 200;          // top node names pre-seeded for dedup-at-extraction
 const MAX_TAIL_BYTES = 8 * 1024 * 1024;   // bound bytes scanned per ingest run
 const MAX_EXTRACTIONS_PER_RUN = 30;       // bound claude calls per run (cost/time)
+// Coalescing window before an auto-ingest after new prompts land. Units never
+// mix projects, and a project switch in the log closes the current batch — so
+// with concurrent sessions a short window yields 1-2-prompt batches and one
+// claude spawn each (~1.2K extraction runs in one 48h period). A long window
+// lets prompts accumulate into fuller batches; the KG tab tolerates the lag.
+const WATCH_COALESCE_MS = 5 * 60_000;
 
 const ENTITY_TYPES = ['project', 'feature', 'tool', 'tech', 'concept', 'goal', 'person'];
 
@@ -137,11 +145,7 @@ async function loadGraphFor(cwd) {
 }
 
 async function saveGraph(g) {
-  await fsp.mkdir(GRAPHS_DIR, { recursive: true });
-  const p = graphPath(g.cwd);
-  const tmp = `${p}.tmp`;
-  await fsp.writeFile(tmp, JSON.stringify(g, null, 2));
-  await fsp.rename(tmp, p);   // atomic
+  await writeJson(graphPath(g.cwd), g);
 }
 
 async function loadIngestState() {
@@ -152,10 +156,20 @@ async function loadIngestState() {
 }
 
 async function saveIngestState(s) {
-  await fsp.mkdir(KG_DIR, { recursive: true });
-  const tmp = `${INGEST_STATE_PATH}.tmp`;
-  await fsp.writeFile(tmp, JSON.stringify(s, null, 2));
-  await fsp.rename(tmp, INGEST_STATE_PATH);
+  await writeJson(INGEST_STATE_PATH, s);
+}
+
+/**
+ * Per-project prompt-count sidecar: { [encodedCwd]: { count: number, cwd: string } }
+ * Returns null when the file does not yet exist (triggers a one-time migration scan).
+ */
+async function readPromptIndex() {
+  try { return JSON.parse(await fsp.readFile(PROMPT_INDEX_PATH, 'utf8')); }
+  catch { return null; }
+}
+
+async function savePromptIndex(idx) {
+  await writeJson(PROMPT_INDEX_PATH, idx);
 }
 
 /** Canonical dedup key: lowercase, strip leading article, collapse whitespace. */
@@ -337,6 +351,7 @@ async function ingest() {
   broadcast('kg:ingest-progress', { phase: 'start', ingesting: true });
   try {
     const st = await loadIngestState();
+    const promptIdx = await readPromptIndex() ?? {};
     let stat;
     try { stat = await fsp.stat(LOG_PATH); }
     catch { broadcast('kg:ingest-progress', { phase: 'done', ingesting: false, added: 0 }); return { ok: true, added: 0, note: 'no log yet' }; }
@@ -423,6 +438,14 @@ async function ingest() {
         st.lastOffset += u.bytes;
         st.lastTs = u.entries[u.entries.length - 1].ts || st.lastTs;
         st.updatedAt = new Date().toISOString();
+        // Write index before advancing watermark: if we crash between these two
+        // writes, the watermark hasn't moved so the batch will be re-processed
+        // (the index count may be slightly high) rather than advanced past a
+        // batch whose index entry was never written.
+        if (!promptIdx[u.enc]) promptIdx[u.enc] = { count: 0, cwd: u.cwd };
+        promptIdx[u.enc].count += u.entries.length;
+        promptIdx[u.enc].cwd = u.cwd;
+        await savePromptIndex(promptIdx);
         await saveIngestState(st);
         if (extractions >= MAX_EXTRACTIONS_PER_RUN) { capped = true; break; }
         continue;
@@ -435,12 +458,19 @@ async function ingest() {
       g.updatedAt = new Date().toISOString();
 
       // Commit this batch: graph first (so a crash can't advance the watermark
-      // past unsaved work), then the watermark.
+      // past unsaved work), then the watermark + sidecar index.
       await saveGraph(g);
       st.lastOffset += u.bytes;
       st.promptCount += u.entries.length;
       st.lastTs = batchTs;
       st.updatedAt = new Date().toISOString();
+      // Write index before advancing watermark so a crash between the two
+      // leaves the watermark un-advanced (re-processable) rather than
+      // advancing past a batch whose index entry was never committed.
+      if (!promptIdx[u.enc]) promptIdx[u.enc] = { count: 0, cwd: u.cwd };
+      promptIdx[u.enc].count += u.entries.length;
+      promptIdx[u.enc].cwd = u.cwd;
+      await savePromptIndex(promptIdx);
       await saveIngestState(st);
 
       committedPrompts += u.entries.length;
@@ -473,25 +503,29 @@ async function ingest() {
 
 /** Enumerate projects seen in the log, enriched with per-project graph stats. */
 async function listProjects() {
-  const prompts = await readAllPrompts();
-  const byEnc = new Map();
-  for (const p of prompts) {
-    if (!p.cwd) continue;
-    const enc = encodeCwd(p.cwd);
-    let e = byEnc.get(enc);
-    if (!e) { e = { cwd: p.cwd, enc, total: 0 }; byEnc.set(enc, e); }
-    e.total++;
-    e.cwd = p.cwd; // keep most recent spelling
+  let idx = await readPromptIndex();
+  if (idx === null) {
+    // One-time migration: build sidecar from the full log.
+    idx = {};
+    const prompts = await readAllPrompts();
+    for (const p of prompts) {
+      if (!p.cwd) continue;
+      const enc = encodeCwd(p.cwd);
+      if (!idx[enc]) idx[enc] = { count: 0, cwd: p.cwd };
+      idx[enc].count++;
+      idx[enc].cwd = p.cwd;
+    }
+    await savePromptIndex(idx).catch(() => {});
   }
   const out = [];
-  for (const e of byEnc.values()) {
-    const g = await loadGraphFor(e.cwd);
+  for (const [enc, entry] of Object.entries(idx)) {
+    const g = await loadGraphFor(entry.cwd);
     out.push({
-      cwd: e.cwd,
-      label: shortLabel(e.cwd),
-      total: e.total,
+      cwd: entry.cwd,
+      label: shortLabel(entry.cwd),
+      total: entry.count,
       processed: g.promptCount || 0,
-      pending: Math.max(0, e.total - (g.promptCount || 0)),
+      pending: Math.max(0, entry.count - (g.promptCount || 0)),
       nodes: g.nodes.length,
       edges: g.edges.length,
       lastIngest: g.updatedAt,
@@ -510,7 +544,24 @@ async function getState(cwd) {
   const target = cwd || await defaultCwd();
   const enc = encodeCwd(target);
   const g = await loadGraphFor(target);
-  const prompts = (await readAllPrompts()).filter((p) => encodeCwd(p.cwd) === enc);
+  let idx = await readPromptIndex();
+  let totalPrompts;
+  if (idx === null) {
+    // One-time migration fallback — build from full log.
+    idx = {};
+    const prompts = await readAllPrompts();
+    for (const p of prompts) {
+      if (!p.cwd) continue;
+      const e2 = encodeCwd(p.cwd);
+      if (!idx[e2]) idx[e2] = { count: 0, cwd: p.cwd };
+      idx[e2].count++;
+      idx[e2].cwd = p.cwd;
+    }
+    await savePromptIndex(idx).catch(() => {});
+    totalPrompts = idx[enc]?.count ?? 0;
+  } else {
+    totalPrompts = idx[enc]?.count ?? 0;
+  }
   return {
     cwd: target,
     label: shortLabel(target),
@@ -518,8 +569,8 @@ async function getState(cwd) {
     edges: g.edges,
     status: {
       promptCount: g.promptCount || 0,
-      totalPrompts: prompts.length,
-      pending: Math.max(0, prompts.length - (g.promptCount || 0)),
+      totalPrompts,
+      pending: Math.max(0, totalPrompts - (g.promptCount || 0)),
       lastIngest: g.updatedAt,
       ingesting,
       logPath: LOG_PATH,
@@ -584,8 +635,14 @@ function init(opts = {}) {
     fs.mkdirSync(KG_DIR, { recursive: true });
     fs.watch(KG_DIR, (_evt, file) => {
       if (file && file !== 'prompts.jsonl') return;
-      if (watchTimer) clearTimeout(watchTimer);
-      watchTimer = setTimeout(() => { ingest().catch(() => {}); }, 8_000);
+      // Leading-edge coalesce: first new prompt arms the timer; later prompts
+      // ride along instead of resetting it, so busy periods can't starve
+      // ingest and every run sees a full window's worth of prompts.
+      if (watchTimer) return;
+      watchTimer = setTimeout(() => {
+        watchTimer = null;
+        ingest().catch(() => {});
+      }, WATCH_COALESCE_MS);
     });
   } catch { /* watch is best-effort */ }
 }

package/src/main/lib/credentials.cjs

@@ -168,6 +168,13 @@ async function refreshIfNeeded(forceRefresh = false) {
   }
 
   if (alreadyExpired) {
+    // Re-read from disk in case credentials were externally refreshed (e.g. via
+    // `claude login`) between our initial read and the failed OAuth attempt.
+    const recheckCr = await readCredentials();
+    if (recheckCr.kind === 'ok' && !isExpired(recheckCr.creds)) {
+      appendRefreshLog({ event: 'externally_refreshed_ok', recheckExpiresAt: recheckCr.creds.expiresAt ?? null });
+      return { kind: 'ok', creds: recheckCr.creds };
+    }
     const ms = expiresAtMs(creds);
     appendRefreshLog({ event: 'auth_failed_expired', expiredAtMs: ms });
     return {

package/src/main/lib/e2eStateMachine.cjs

@@ -0,0 +1,39 @@
+/**
+ * Pure E2E session state machine for the web-remote relay.
+ * No Electron, no I/O — importable in unit tests.
+ *
+ * State transitions:
+ *   idle        → pending_sas   : successful deriveSessionKey + deriveSas
+ *   idle        → failed        : crypto derivation error
+ *   pending_sas → authenticated : user confirms SAS
+ *   pending_sas → failed        : deriveSas threw after sessionKey succeeded
+ *   any         → idle          : disconnect / reset
+ */
+
+/** @returns {{ state: string, sessionKey: Buffer|null, pendingSas: string|null }} */
+function makeState(state = 'idle', sessionKey = null, pendingSas = null) {
+  return { state, sessionKey, pendingSas };
+}
+
+/**
+ * Attempt to confirm the SAS.  Pure — does not mutate; returns the next state.
+ * @param {{ state: string, sessionKey: Buffer|null, pendingSas: string|null }} e2eState
+ * @returns {{ ok: boolean, error?: string, next: { state: string, sessionKey: Buffer|null, pendingSas: string|null } }}
+ */
+function confirmSas(e2eState) {
+  if (e2eState.state !== 'pending_sas') {
+    const errorMap = {
+      idle: 'no_e2e_session',
+      failed: 'e2e_failed',
+      authenticated: 'already_authenticated',
+    };
+    const error = errorMap[e2eState.state] ?? 'unexpected_state';
+    return { ok: false, error, next: e2eState };
+  }
+  return {
+    ok: true,
+    next: makeState('authenticated', e2eState.sessionKey, null),
+  };
+}
+
+module.exports = { makeState, confirmSas };

package/src/main/runVerify.cjs

@@ -58,20 +58,24 @@ function detectPattern(content) {
     return { verdict: 'transcript_errors', pattern: 'FAIL/FATAL at line start' };
   }
 
-  // (2) Python Traceback + Error line within next 10 lines.
+  // (2) Python Traceback + exception line within next 10 lines. Both anchored
+  // to line starts: reviewer prose quoting "will crash with ImportError" or
+  // embedding "...Error:" mid-sentence must not match (feedback 2026-06-10-01).
   const lines = content.split('\n');
   for (let i = 0; i < lines.length; i++) {
-    if (lines[i].includes('Traceback (most recent call last):')) {
+    if (/^\s*Traceback \(most recent call last\):/.test(lines[i])) {
       for (let j = i + 1; j < Math.min(i + 11, lines.length); j++) {
-        if (lines[j].includes('Error:')) {
+        if (/^\s*[A-Za-z_][\w.]*(?:Error|Exception)\s*:/.test(lines[j])) {
           return { verdict: 'transcript_errors', pattern: 'Traceback + Error within 10 lines' };
         }
       }
     }
   }
 
-  // (3) Import / module errors (verification was skipped).
-  if (content.includes('ModuleNotFoundError') || content.includes('ImportError')) {
+  // (3) Import / module errors (verification was skipped). Line-anchored:
+  // real interpreter output starts the line with the exception name
+  // ("ModuleNotFoundError: No module named 'x'"); prose never does.
+  if (/^\s*(?:ModuleNotFoundError|ImportError)\s*(?::|$)/m.test(content)) {
     return { verdict: 'verify_unavailable', pattern: 'ModuleNotFoundError/ImportError' };
   }
 
@@ -195,6 +199,18 @@ function toolUseDesc(events, toolUseId) {
   return '';
 }
 
+/**
+ * Return the tool name of the tool_use that produced a given tool_result.
+ * Returns '' if not found.
+ */
+function toolUseName(events, toolUseId) {
+  if (!toolUseId) return '';
+  for (const ev of events) {
+    if (ev.kind === 'tool_use' && ev.toolUseId === toolUseId) return ev.toolName ?? '';
+  }
+  return '';
+}
+
 /**
  * Check whether the next ≤5 tool_use calls after `fromSeq` include a package
  * install command (pip install, pip3 install, uv sync, uv pip install).
@@ -471,6 +487,12 @@ async function verifyRun({ runDir, prdPath, queueEntry, allJobs = [] }) {
 
       if (!ev.content) continue;
 
+      // Subagent (Task) results are structured prose — review findings that
+      // *describe* exceptions ("will crash with ImportError") are the dominant
+      // false-positive source (feedback 2026-06-10-01). Real runtime errors
+      // surface through Bash/test tool_results, which are still scanned.
+      if (toolUseName(events, ev.toolUseId) === 'Task') continue;
+
       const hit = detectPattern(ev.content);
       if (!hit) continue;
 
@@ -520,6 +542,7 @@ module.exports = {
   verifyRun,
   // Exposed for unit tests.
   detectPattern,
+  toolUseName,
   extractSoakFromBody,
   parsePrdBodyDepFragments,
   checkDeps,

package/src/main/scheduler/prdParser.cjs

@@ -15,9 +15,24 @@
 
 const fs = require('node:fs');
 const fsp = require('node:fs/promises');
+const os = require('node:os');
 const path = require('node:path');
 const { splitFrontmatter } = require('../lib/prdFrontmatter.cjs');
 
+/**
+ * Expand a PRD `cwd` value to an absolute path.
+ * - `~/...` or `~` alone → absolute under os.homedir()
+ * - Already-absolute paths pass through unchanged.
+ * - Bare relative paths → joined onto os.homedir().
+ * null/empty returns null (caller falls back to defaultCwd).
+ */
+function expandCwd(cwd) {
+  if (!cwd) return null;
+  if (cwd === '~' || cwd.startsWith('~/')) return path.join(os.homedir(), cwd.slice(1));
+  if (path.isAbsolute(cwd)) return cwd;
+  return path.join(os.homedir(), cwd);
+}
+
 // Hard cap to keep one malformed PRD (e.g. a binary blob accidentally renamed
 // .md) from wedging the main thread. PRDs are PRDs, not media files; 1 MB is
 // already ~25k lines and well beyond any legitimate authored doc.
@@ -46,7 +61,7 @@ async function parsePrdRaw(filePath) {
     slug: base,
     path: filePath,
     title: fm.title || base,
-    cwd: fm.cwd || null,
+    cwd: expandCwd(fm.cwd || null),
     estimateMinutes: fm.estimateMinutes ? Number(fm.estimateMinutes) || null : null,
     parallelGroup: (fm.parallelGroup ? Number(fm.parallelGroup) || null : null) ?? groupFromName ?? 99,
     body: body.trim(),

package/src/main/scheduler.cjs

@@ -180,12 +180,16 @@ const HEARTBEAT_MAX_BYTES = 1024 * 1024;
 // DEFAULT_PROJECT_CWD imported from lib/schedulerBatch.cjs (single source of truth).
 
 const ENV_CAP = process.env.SM_SCHEDULER_MAX_CONCURRENCY
-  ? Math.max(1, Math.min(20, parseInt(process.env.SM_SCHEDULER_MAX_CONCURRENCY, 10) || 4))
+  ? Math.max(1, Math.min(20, parseInt(process.env.SM_SCHEDULER_MAX_CONCURRENCY, 10) || 3))
   : null;
 
+// Each headless claude -p process can grow past 1 GB; require 1.5 GB headroom
+// per running+pending slot to avoid OOM (incident 2026-06-10).
+const MIN_FREE_MB_PER_JOB = 1500;
+
 const DEFAULT_CONFIG = {
   offsetMinutes: 15,
-  concurrencyCap: ENV_CAP ?? 4,
+  concurrencyCap: ENV_CAP ?? 3,
   defaultCwd: DEFAULT_PROJECT_CWD,
   // 'when-available' = poll usage and fire whenever utilization < threshold.
   // 'on-reset'        = fire offsetMinutes after the next 5h reset (legacy).
@@ -202,6 +206,39 @@ const DEFAULT_CONFIG = {
   },
 };
 
+// ---------- memory gate ----------
+
+/**
+ * Returns available system memory in MB.  Reads /proc/meminfo on Linux; fails
+ * open (returns Infinity) on darwin or on any parse/read error so the gate
+ * never blocks scheduling on unsupported platforms.
+ */
+function getAvailableMemMb() {
+  if (process.platform !== 'linux') return Infinity;
+  try {
+    const raw = fs.readFileSync('/proc/meminfo', 'utf8');
+    const m = raw.match(/^MemAvailable:\s+(\d+)\s+kB/m);
+    if (!m) return Infinity;
+    return Math.floor(parseInt(m[1], 10) / 1024);
+  } catch {
+    return Infinity;
+  }
+}
+
+/**
+ * Pure helper: clamp a batch down so launching `toLaunch` more jobs doesn't
+ * drop available memory below MIN_FREE_MB_PER_JOB per active slot.
+ * Exported for unit tests.
+ */
+function memoryLimitedBatchSize(availableMb, minPerJob, runningCount, batchLen) {
+  if (availableMb === Infinity) return batchLen;
+  let allowed = batchLen;
+  while (allowed > 0 && availableMb < minPerJob * (runningCount + allowed)) {
+    allowed--;
+  }
+  return allowed;
+}
+
 // ---------- fs helpers ----------
 
 /**
@@ -539,6 +576,8 @@ let heartbeatInterval = null;
 // double-spawn when runDueJobs() is called while jobs are in flight.
 const runningSet = new Set();
 let cancelToken = { cancelled: false };
+// Last memory-gate observation; included in snapshot for renderer visibility.
+let lastMemGate = null;
 
 function attachWindow(w) { mainWindow = w; }
 
@@ -557,6 +596,13 @@ function buildScheduleStatePayload(state, { withPaths = false } = {}) {
     nextReset: getNextResetCached(),
     paused: state.paused,
     utilization: cachedUtilization,
+    pollHealth: {
+      lastPollAt,
+      lastPollOk,
+      consecutiveFailures,
+      lastFailureKind,
+    },
+    memGate: lastMemGate,
   };
   if (withPaths) {
     payload.paths = { root: ROOT, prds: PRDS_DIR, runs: RUNS_DIR, queue: QUEUE_PATH };
@@ -743,7 +789,7 @@ async function executeJob(job, runDir, defaultCwd, onPid) {
   // before handing it to the child process.
   try { fs.accessSync(cwd, fs.constants.X_OK); }
   catch {
-    const errMsg = `cwd no longer exists: ${cwd}`;
+    const errMsg = `cwd does not exist on this machine: ${cwd}`;
     safeLog(`[scheduler] ${errMsg}\n`);
     closeFd();
     // Sync write: this is an early-exit error path inside an async function,
@@ -1356,11 +1402,29 @@ function tickQueue() {
     const batch = pickNextBatch(state.jobs, runningSet, cap);
     if (batch.length === 0) return;
 
+    const availableMb = getAvailableMemMb();
+    const allowed = memoryLimitedBatchSize(availableMb, MIN_FREE_MB_PER_JOB, runningSet.size, batch.length);
+    if (allowed === 0) {
+      const threshold = MIN_FREE_MB_PER_JOB * (runningSet.size + 1);
+      console.log(`[scheduler] memory gate: available=${availableMb} MB < threshold=${threshold} MB — deferring ${batch.length} job(s)`);
+      lastMemGate = { availableMb, threshold, deferred: true, at: new Date().toISOString() };
+      return;
+    }
+    const gatedBatch = batch.slice(0, allowed);
+    if (gatedBatch.length < batch.length) {
+      console.log(`[scheduler] memory gate: available=${availableMb} MB — clamped batch ${batch.length} → ${gatedBatch.length}`);
+      lastMemGate = { availableMb, threshold: MIN_FREE_MB_PER_JOB * (runningSet.size + gatedBatch.length), deferred: false, clamped: true, at: new Date().toISOString() };
+    } else {
+      // Ungated full batch: clear stale gate snapshot so status doesn't show
+      // a stale deferral from a previous tick.
+      lastMemGate = null;
+    }
+
     await mutate((s) => { s.lastRunAt = new Date().toISOString(); });
     await broadcast();
 
     const { runId, dir: runDir } = pickRunDir();
-    for (const job of batch) {
+    for (const job of gatedBatch) {
       if (cancelToken.cancelled) break;
       // spawnJob is fire-and-forget; it calls tickQueue() on completion.
       spawnJob(job, runId, runDir, state.config.defaultCwd).catch(() => {});
@@ -1450,6 +1514,18 @@ async function reapDeadRunningJobs() {
 
 // ---------- poll loop with exponential backoff ----------
 
+/**
+ * Pure: given the current pause reason and whether a reset timestamp is cached,
+ * return which clearPause source to pass after a successful billing poll, or null.
+ * Exported for unit testing.
+ */
+function pollRecoveryClearSource(pauseReason, hasCachedReset) {
+  if (pauseReason === 'network') return 'network-recovered';
+  if (pauseReason === 'auth') return 'auth-recovered';
+  if (pauseReason === 'reset_failure' && hasCachedReset) return 'reset-recovered';
+  return null;
+}
+
 async function pollLoop() {
   try {
     await reapDeadRunningJobs().catch(() => {});
@@ -1468,15 +1544,10 @@ async function pollLoop() {
       lastPollOk = true;
       persistSchedulerState();
 
-      // If a 'network' pause resolved, clear it now that we have a good reading.
+      // Clear any pause that was waiting for a successful billing read.
       const cur = await readQueue();
-      if (cur.paused?.reason === 'network') {
-        await clearPause('network-recovered');
-      }
-      // If 'reset_failure' was set and we now have a valid reset, clear it.
-      if (cur.paused?.reason === 'reset_failure' && cachedNextReset) {
-        await clearPause('reset-recovered');
-      }
+      const clearSrc = pollRecoveryClearSource(cur.paused?.reason ?? null, !!cachedNextReset);
+      if (clearSrc) await clearPause(clearSrc);
 
       await maybeLaunchWhenAvailable(cur);
       await broadcast();
@@ -1961,6 +2032,19 @@ const remote = {
     const resolved = safeSlugPath(slug);
     if (!resolved) return { ok: false, error: 'invalid slug' };
     try {
+      // Symlink defense, matching readPrd/readLog: safeSlugPath is lexical and
+      // does NOT resolve symlinks, so a rogue job could plant prds/x.md → an
+      // arbitrary $HOME path and have writeTextAtomic clobber it. Resolve the
+      // real parent dir (the file itself may not exist yet) and re-assert
+      // containment; also reject the target if it is already a symlink.
+      const realParent = await fsp.realpath(path.dirname(resolved));
+      if (realParent !== PRDS_DIR && !realParent.startsWith(PRDS_DIR + path.sep)) {
+        return { ok: false, error: 'invalid slug' };
+      }
+      const existing = await fsp.lstat(resolved).catch(() => null);
+      if (existing && existing.isSymbolicLink()) {
+        return { ok: false, error: 'invalid slug' };
+      }
       await config.writeTextAtomic(resolved, body);
       const stat = await fsp.stat(resolved);
       return { ok: true, bytesWritten: stat.size };
@@ -2005,4 +2089,4 @@ const remote = {
   },
 };
 
-module.exports = { registerScheduleHandlers, attachWindow, init, ROOT, PRDS_DIR, selectHistoryJobs, parsePorcelain, FINISH_PROTOCOL, remote, pickNextBatch, pickForProject, reapDeadRunningJobs };
+module.exports = { registerScheduleHandlers, attachWindow, init, ROOT, PRDS_DIR, selectHistoryJobs, parsePorcelain, FINISH_PROTOCOL, remote, pickNextBatch, pickForProject, reapDeadRunningJobs, pollRecoveryClearSource, memoryLimitedBatchSize };