claude-code-session-manager 0.8.6 → 0.10.0

package/src/main/scheduler.cjs

@@ -45,10 +45,17 @@ const fsp = require('node:fs/promises');
 const path = require('node:path');
 const os = require('node:os');
 const { spawn } = require('node:child_process');
+const { randomUUID } = require('node:crypto');
 const { ipcMain } = require('electron');
 const billing = require('./usage.cjs');
 const { cleanChildEnv } = require('./lib/cleanEnv.cjs');
 const supervisor = require('./supervisor.cjs');
+const { resolveClaudeBin } = require('./lib/claudeBin.cjs');
+const { readTail } = require('./lib/fileTail.cjs');
+const { sendIfAlive } = require('./lib/sendToRenderer.cjs');
+const prdParser = require('./scheduler/prdParser.cjs');
+const logs = require('./logs.cjs');
+const { schemas } = require('./ipcSchemas.cjs');
 const {
   POLL_INTERVAL_MS,
   USAGE_REFRESH_INTERVAL_MS,
@@ -95,8 +102,6 @@ const ENV_CAP = process.env.SM_SCHEDULER_MAX_CONCURRENCY
   : null;
 
 const DEFAULT_CONFIG = {
-  // Legacy on/off retained for backwards compat; v0.5+ uses firePolicy.
-  enabled: false,
   offsetMinutes: 15,
   concurrencyCap: ENV_CAP ?? 4,
   defaultCwd: DEFAULT_PROJECT_CWD,
@@ -117,16 +122,31 @@ const DEFAULT_CONFIG = {
 
 // ---------- fs helpers ----------
 
+/**
+ * Resolve PRDS_DIR/<slug>.md and enforce path containment. Returns the
+ * absolute path on success, null on slug-escape attempts. The zod schema
+ * for slugs already blocks `..` because the SLUG_RE excludes `/`, but
+ * defense-in-depth: a second containment check after path.resolve costs
+ * nothing and catches future regex laxity.
+ */
+function safeSlugPath(slug) {
+  const resolved = path.resolve(path.join(PRDS_DIR, `${slug}.md`));
+  if (!resolved.startsWith(PRDS_DIR + path.sep)) return null;
+  return resolved;
+}
+
 function ensureDirs() {
   fs.mkdirSync(PRDS_DIR, { recursive: true });
   fs.mkdirSync(RUNS_DIR, { recursive: true });
 }
 
-function atomicWriteJson(p, data) {
-  const tmp = `${p}.${process.pid}.${Date.now()}.${Math.random().toString(36).slice(2, 8)}.tmp`;
-  fs.writeFileSync(tmp, JSON.stringify(data, null, 2));
-  fs.renameSync(tmp, p);
-}
+// Atomic JSON write helpers delegate to config.cjs's shared implementation.
+// Sync variant is required for the executeJob exit handler (Promise resolver
+// callback that must flush meta.json before resolving) — replacing with async
+// would deadlock the exit path.
+const config = require('./config.cjs');
+const atomicWriteJsonSync = (p, data) => config.writeJsonSync(p, data);
+const atomicWriteJson = (p, data) => config.writeJson(p, data);
 
 // ---------- scheduler-state.json (sidecar) ----------
 
@@ -143,8 +163,12 @@ function loadSchedulerState() {
 }
 
 function persistSchedulerState() {
+  // Sync write: called from many sync hot paths (clearPause, pollLoop catch
+  // block) and the sidecar is tiny (<1 KB). Converting to async here would
+  // require threading awaits through pause/resume bookkeeping for negligible
+  // benefit — the file is well under one page.
   try {
-    atomicWriteJson(SCHEDULER_STATE_PATH, {
+    atomicWriteJsonSync(SCHEDULER_STATE_PATH, {
       version: 1,
       lastObservedReset: cachedNextReset,
       lastResetObservedAt: cachedNextReset ? Date.now() : null,
@@ -178,7 +202,10 @@ function appendHeartbeat(entry) {
   }
 }
 
-function readQueue() {
+// Sync queue read — passed to the supervisor module (which calls it from
+// supervisorTick / applyAction with no await) and the heartbeat interval.
+// IPC handlers and mutate() use readQueue (async) below.
+function readQueueSync() {
   try {
     const raw = fs.readFileSync(QUEUE_PATH, 'utf8');
     const data = JSON.parse(raw);
@@ -194,9 +221,28 @@ function readQueue() {
   }
 }
 
-function writeQueue(state) {
+// Async queue read — used on all IPC hot paths. Reading queue.json sync was
+// blocking the main thread inside ipcMain.handle callbacks; awaiting fsp.readFile
+// hands control back to the renderer while the kernel paginates the file.
+async function readQueue() {
+  try {
+    const raw = await fsp.readFile(QUEUE_PATH, 'utf8');
+    const data = JSON.parse(raw);
+    return {
+      config: { ...DEFAULT_CONFIG, ...(data.config || {}) },
+      jobs: Array.isArray(data.jobs) ? data.jobs : [],
+      scheduledFor: data.scheduledFor ?? null,
+      lastRunAt: data.lastRunAt ?? null,
+      paused: data.paused ?? null,
+    };
+  } catch {
+    return { config: { ...DEFAULT_CONFIG }, jobs: [], scheduledFor: null, lastRunAt: null, paused: null };
+  }
+}
+
+async function writeQueue(state) {
   ensureDirs();
-  atomicWriteJson(QUEUE_PATH, state);
+  await atomicWriteJson(QUEUE_PATH, state);
 }
 
 // ---------- serialized mutation queue ----------
@@ -209,9 +255,9 @@ let mutateTail = Promise.resolve();
 
 function mutate(fn) {
   const next = mutateTail.then(async () => {
-    const state = readQueue();
+    const state = await readQueue();
     const ret = await fn(state);
-    writeQueue(state);
+    await writeQueue(state);
     return ret;
   });
   mutateTail = next.catch(() => {}); // keep chain alive on errors
@@ -225,55 +271,13 @@ function mutate(fn) {
  * yaml dep; the schema is small (title, cwd, estimateMinutes, parallelGroup)
  * and the format is documented in the user-facing README.
  */
-function parsePrd(filePath) {
-  const text = fs.readFileSync(filePath, 'utf8');
-  const meta = { title: null, cwd: null, estimateMinutes: null, parallelGroup: null };
-  let body = text;
-
-  if (text.startsWith('---\n')) {
-    const end = text.indexOf('\n---', 4);
-    if (end !== -1) {
-      const fm = text.slice(4, end);
-      body = text.slice(end + 4).replace(/^\n/, '');
-      for (const line of fm.split('\n')) {
-        const m = line.match(/^([a-zA-Z]+):\s*(.+?)\s*$/);
-        if (!m) continue;
-        const k = m[1];
-        let v = m[2];
-        if ((v.startsWith('"') && v.endsWith('"')) || (v.startsWith("'") && v.endsWith("'"))) {
-          v = v.slice(1, -1);
-        }
-        if (k === 'title') meta.title = v;
-        else if (k === 'cwd') meta.cwd = v;
-        else if (k === 'estimateMinutes') meta.estimateMinutes = Number(v) || null;
-        else if (k === 'parallelGroup') meta.parallelGroup = Number(v) || null;
-      }
-    }
-  }
-
-  const base = path.basename(filePath, '.md');
-  const groupFromName = (() => {
-    const m = base.match(/^(\d+)-/);
-    return m ? Number(m[1]) : null;
-  })();
-
-  return {
-    slug: base,
-    path: filePath,
-    title: meta.title || base,
-    cwd: meta.cwd || null,
-    estimateMinutes: meta.estimateMinutes,
-    parallelGroup: meta.parallelGroup ?? groupFromName ?? 99,
-    body: body.trim(),
-  };
-}
-
-function listPrdFiles() {
+// PRD parsing + dir-mtime cache live in scheduler/prdParser.cjs. Local wrappers
+// preserve the existing call shape (callers don't need to thread PRDS_DIR).
+const parsePrdRaw = prdParser.parsePrdRaw;
+const parsePrd = prdParser.parsePrd;
+async function listPrdFiles() {
   ensureDirs();
-  return fs.readdirSync(PRDS_DIR)
-    .filter((f) => f.endsWith('.md') && !f.startsWith('.'))
-    .map((f) => path.join(PRDS_DIR, f))
-    .sort();
+  return prdParser.listPrdFiles(PRDS_DIR);
 }
 
 // ---------- queue reconciliation ----------
@@ -286,12 +290,14 @@ function listPrdFiles() {
  * Status is preserved: pending stays pending, completed stays completed.
  * Newly-discovered PRDs land as `pending`.
  */
-function reconcile(state) {
-  const files = listPrdFiles();
+async function reconcile(state) {
+  const files = await listPrdFiles();
   const onDisk = new Map();
   for (const f of files) {
     try {
-      const p = parsePrd(f);
+      // Per-file await: parsing is mtime-cached so steady-state hits zero
+      // disk reads; on cold cache the awaits keep the main thread responsive.
+      const p = await parsePrd(f);
       onDisk.set(p.slug, p);
     } catch (e) {
       console.warn('[scheduler] failed to parse', f, e?.message);
@@ -377,16 +383,17 @@ let heartbeatInterval = null;
 // double-spawn when runDueJobs() is called while jobs are in flight.
 const runningSet = new Set();
 let cancelToken = { cancelled: false };
-let claudeBinPathCached = null;
 
 function attachWindow(w) { mainWindow = w; }
 
-function broadcast() {
-  if (!mainWindow || mainWindow.isDestroyed()) return;
-  const state = readQueue();
-  reconcile(state);
-  writeQueue(state);
-  mainWindow.webContents.send('schedule:state', {
+/**
+ * Build the snapshot payload consumed by both the `schedule:state` IPC
+ * handler and the `schedule:state` broadcast event. The IPC return adds a
+ * `paths` map (renderer uses it for "open folder" actions); broadcast omits
+ * it because subscribers don't need to re-derive paths on every tick.
+ */
+function buildScheduleStatePayload(state, { withPaths = false } = {}) {
+  const payload = {
     config: state.config,
     jobs: state.jobs,
     scheduledFor: state.scheduledFor,
@@ -394,7 +401,19 @@ function broadcast() {
     nextReset: getNextResetCached(),
     paused: state.paused,
     utilization: cachedUtilization,
-  });
+  };
+  if (withPaths) {
+    payload.paths = { root: ROOT, prds: PRDS_DIR, runs: RUNS_DIR, queue: QUEUE_PATH };
+  }
+  return payload;
+}
+
+async function broadcast() {
+  if (!mainWindow || mainWindow.isDestroyed()) return;
+  const state = await readQueue();
+  await reconcile(state);
+  await writeQueue(state);
+  sendIfAlive(mainWindow, 'schedule:state', buildScheduleStatePayload(state));
 }
 
 function clearFireTimer() {
@@ -425,13 +444,13 @@ async function rescheduleTimer() {
   } catch {
     nextResetIso = cachedNextReset;
   }
-  const fireAt = await mutate((state) => {
-    reconcile(state);
+  const fireAt = await mutate(async (state) => {
+    await reconcile(state);
     const fa = computeFireAt(state, nextResetIso);
     state.scheduledFor = fa ? new Date(fa).toISOString() : null;
     return fa;
   });
-  broadcast();
+  await broadcast();
   if (!fireAt) return;
 
   const delay = Math.max(1000, fireAt - Date.now());
@@ -462,7 +481,7 @@ async function setPaused(reason, resumeAtIso) {
       s.paused = { reason, since: new Date().toISOString(), resumeAt: effectiveResumeAt || null };
     }
   });
-  broadcast();
+  await broadcast();
   cancelToken.cancelled = true;
   if (resumeTimer) { clearTimeout(resumeTimer); resumeTimer = null; }
   if (!effectiveResumeAt) return;
@@ -491,9 +510,18 @@ async function clearPause(source) {
   // Track manual clears for the auto-pause cooldown.
   if (source === 'manual' || source === 'run-now') {
     pauseClearedManuallyAt = Date.now();
+    // The user has just affirmed the queue should run — clear the failure
+    // counters so the renderer doesn't keep nagging about stale poll fails.
+    // The next poll will set them again if the condition still applies.
+    consecutiveFailures = 0;
+    backoffMs = 0;
+    backoffNextAt = null;
+    firstFailureAt = null;
+    firstNon429FailureAt = null;
+    lastFailureKind = null;
     persistSchedulerState();
   }
-  if (wasPaused) broadcast();
+  if (wasPaused) await broadcast();
 }
 
 /** Mutate a job in place to "pending" with cleared run metadata. */
@@ -528,24 +556,6 @@ function detectRateLimitInLog(logPath) {
   }
 }
 
-// ---------- claude binary ----------
-
-function resolveClaudeBin() {
-  if (claudeBinPathCached) return claudeBinPathCached;
-  const candidates = [
-    path.join(os.homedir(), '.claude', 'local', 'claude'),
-    '/usr/local/bin/claude',
-    '/opt/homebrew/bin/claude',
-    '/usr/bin/claude',
-  ];
-  for (const c of candidates) {
-    try { fs.accessSync(c, fs.constants.X_OK); claudeBinPathCached = c; return c; } catch { /* */ }
-  }
-  // Last resort: rely on PATH lookup at spawn time.
-  claudeBinPathCached = 'claude';
-  return claudeBinPathCached;
-}
-
 // ---------- execution ----------
 
 function pickRunDir() {
@@ -565,31 +575,43 @@ async function executeJob(job, runDir, defaultCwd, onPid) {
   const metaPath = path.join(runDir, `${job.slug}.meta.json`);
   const cwd = job.cwd || defaultCwd;
   const startedAt = Date.now();
+  const sessionId = randomUUID();
 
   const fd = fs.openSync(logPath, 'a');
   let fdClosed = false;
-  const closeFd = () => { if (fdClosed) return; fdClosed = true; fs.closeSync(fd); };
+  const closeFd = () => { if (fdClosed) return; fdClosed = true; try { fs.closeSync(fd); } catch { /* */ } };
+  // safeLog: no-op once the fd is closed, never throws on the watchdog timer
+  // path. Pre-fix, a post-result/idle watchdog firing AFTER closeFd would
+  // throw EBADF and crash the host. Every fs.writeSync(fd, …) below goes
+  // through this helper.
+  const safeLog = (msg) => {
+    if (fdClosed) return;
+    try { fs.writeSync(fd, msg); } catch { /* fd vanished mid-write */ }
+  };
 
-  fs.writeSync(fd, `[scheduler] starting ${job.slug} at ${new Date().toISOString()}\n[scheduler] cwd=${cwd}\n\n`);
+  safeLog(`[scheduler] starting ${job.slug} at ${new Date().toISOString()}\n[scheduler] cwd=${cwd}\n\n`);
 
   // Dead-cwd guard: verify the target directory exists and is traversable
   // before handing it to the child process.
   try { fs.accessSync(cwd, fs.constants.X_OK); }
   catch {
     const errMsg = `cwd no longer exists: ${cwd}`;
-    fs.writeSync(fd, `[scheduler] ${errMsg}\n`);
+    safeLog(`[scheduler] ${errMsg}\n`);
     closeFd();
-    atomicWriteJson(metaPath, { slug: job.slug, cwd, exitCode: -1, error: errMsg, startedAt, finishedAt: Date.now(), durationMs: 0 });
-    return { exitCode: -1, durationMs: 0, error: errMsg };
+    // Sync write: this is an early-exit error path inside an async function,
+    // so we could await, but using the sync variant keeps the error path
+    // ordering identical to the spawn-failed branch below (also sync).
+    atomicWriteJsonSync(metaPath, { slug: job.slug, cwd, sessionId, exitCode: -1, error: errMsg, startedAt, finishedAt: Date.now(), durationMs: 0 });
+    return { exitCode: -1, durationMs: 0, error: errMsg, sessionId };
   }
 
   // Read full PRD body fresh from disk (queue stored only the preview).
   let prompt;
   try {
-    const parsed = parsePrd(path.join(PRDS_DIR, `${job.slug}.md`));
+    const parsed = await parsePrd(path.join(PRDS_DIR, `${job.slug}.md`));
     prompt = parsed.body;
   } catch (e) {
-    fs.writeSync(fd, `[scheduler] failed to read PRD: ${e?.message}\n`);
+    safeLog(`[scheduler] failed to read PRD: ${e?.message}\n`);
     closeFd();
     return { exitCode: -1, durationMs: 0, error: e?.message };
   }
@@ -600,28 +622,46 @@ async function executeJob(job, runDir, defaultCwd, onPid) {
     // launched from a `claude` shell. CLAUDE_EFFORT=xhigh forces Opus and
     // overrides `--model sonnet`, so scheduled jobs burn Opus credits silently.
     const childEnv = cleanChildEnv();
-    const child = spawn(claudeBin, [
-      '-p', prompt,
-      '--model', 'sonnet',
-      '--dangerously-skip-permissions',
-      '--output-format', 'stream-json',
-      '--verbose',
-    ], {
-      cwd,
-      env: childEnv,
-      stdio: ['ignore', fd, fd],
-      // detached:true puts the child in its own process group so we can kill
-      // the entire descendant tree (including any stray background bashes the
-      // agent spawned) with `process.kill(-pid)`. Without this, child.kill()
-      // only kills the immediate `claude` process, leaving orphaned subprocs
-      // that keep the parent alive (the 2026-05-10 cellar-publish hang).
-      detached: true,
-    });
+    // Guard against synchronous spawn failures (EAGAIN, ENOMEM on fork).
+    // Without this, the throw bubbles out of the Promise executor and the
+    // outer await rejects — but the open fd is leaked.
+    let child;
+    try {
+      child = spawn(claudeBin, [
+        '-p', prompt,
+        '--model', 'sonnet',
+        '--dangerously-skip-permissions',
+        '--output-format', 'stream-json',
+        '--verbose',
+        '--session-id', sessionId,
+      ], {
+        cwd,
+        env: childEnv,
+        stdio: ['ignore', fd, fd],
+        // detached:true puts the child in its own process group so we can kill
+        // the entire descendant tree (including any stray background bashes the
+        // agent spawned) with `process.kill(-pid)`. Without this, child.kill()
+        // only kills the immediate `claude` process, leaving orphaned subprocs
+        // that keep the parent alive (the 2026-05-10 cellar-publish hang).
+        detached: true,
+      });
+    } catch (e) {
+      const errMsg = `spawn failed: ${e?.message ?? String(e)}`;
+      safeLog(`[scheduler] ${errMsg}\n`);
+      closeFd();
+      const durationMs = Date.now() - startedAt;
+      // Sync write: inside the Promise executor, before resolve(). Awaiting
+      // here would require restructuring the executor; the meta file is tiny
+      // and this is an error path, not the IPC hot path.
+      atomicWriteJsonSync(metaPath, { slug: job.slug, cwd, sessionId, exitCode: -1, error: errMsg, startedAt, finishedAt: Date.now(), durationMs });
+      resolve({ exitCode: -1, durationMs, error: errMsg, sessionId });
+      return;
+    }
 
-    fs.writeSync(fd, `[scheduler] spawned pid=${child.pid} (process group)\n\n`);
+    safeLog(`[scheduler] spawned pid=${child.pid} sessionId=${sessionId} (process group)\n\n`);
 
     // Fire-and-forget pid persistence — best effort.
-    if (onPid) onPid(child.pid).catch(() => {});
+    if (onPid) onPid(child.pid, sessionId, cwd).catch(() => {});
 
     // Track whether the agent has emitted a `result` event in its JSONL stream.
     // null until seen; then one of "success" | "error_max_turns" | ... per the
@@ -657,15 +697,15 @@ async function executeJob(job, runDir, defaultCwd, onPid) {
         const m = buf.toString('utf8').match(/\{"type":"result","subtype":"([a-z_]+)"/);
         if (!m) return;
         agentResultSubtype = m[1];
-        fs.writeSync(fd, `\n[scheduler] result event detected (subtype=${agentResultSubtype}); ` +
+        safeLog(`\n[scheduler] result event detected (subtype=${agentResultSubtype}); ` +
           `starting ${Math.round(POST_RESULT_GRACE_MS/1000)}s exit-grace timer\n`);
         clearInterval(resultTailer);
         postResultTimer = setTimeout(() => {
-          fs.writeSync(fd, `\n[scheduler] post-result grace expired (${Math.round(POST_RESULT_GRACE_MS/1000)}s); ` +
+          safeLog(`\n[scheduler] post-result grace expired (${Math.round(POST_RESULT_GRACE_MS/1000)}s); ` +
             `child still alive — SIGTERM process group\n`);
           killTree('SIGTERM');
           postResultKillTimer = setTimeout(() => {
-            fs.writeSync(fd, `\n[scheduler] still alive ${Math.round(POST_RESULT_KILL_MS/1000)}s after SIGTERM — SIGKILL\n`);
+            safeLog(`\n[scheduler] still alive ${Math.round(POST_RESULT_KILL_MS/1000)}s after SIGTERM — SIGKILL\n`);
             killTree('SIGKILL');
           }, POST_RESULT_KILL_MS);
           if (postResultKillTimer.unref) postResultKillTimer.unref();
@@ -677,7 +717,7 @@ async function executeJob(job, runDir, defaultCwd, onPid) {
 
     // Kill the child if it runs past the maximum allowed duration.
     const watchdog = setTimeout(() => {
-      fs.writeSync(fd, `\n[scheduler] watchdog SIGKILL after ${MAX_JOB_DURATION_MS}ms\n`);
+      safeLog(`\n[scheduler] watchdog SIGKILL after ${MAX_JOB_DURATION_MS}ms\n`);
       killTree('SIGKILL');
     }, MAX_JOB_DURATION_MS);
     if (watchdog.unref) watchdog.unref();
@@ -691,12 +731,12 @@ async function executeJob(job, runDir, defaultCwd, onPid) {
         const stat = fs.statSync(logPath);
         const idleMs = Date.now() - stat.mtimeMs;
         if (idleMs > IDLE_OUTPUT_KILL_MS) {
-          fs.writeSync(fd, `\n[scheduler] idle-output watchdog: log mtime stalled ` +
+          safeLog(`\n[scheduler] idle-output watchdog: log mtime stalled ` +
             `${Math.round(idleMs/1000)}s (> ${Math.round(IDLE_OUTPUT_KILL_MS/1000)}s threshold) — SIGTERM process group\n`);
           clearInterval(idleChecker);
           killTree('SIGTERM');
           idleKillTimer = setTimeout(() => {
-            fs.writeSync(fd, `\n[scheduler] idle watchdog: still alive ${Math.round(POST_RESULT_KILL_MS/1000)}s after SIGTERM — SIGKILL\n`);
+            safeLog(`\n[scheduler] idle watchdog: still alive ${Math.round(POST_RESULT_KILL_MS/1000)}s after SIGTERM — SIGKILL\n`);
             killTree('SIGKILL');
           }, POST_RESULT_KILL_MS);
           if (idleKillTimer.unref) idleKillTimer.unref();
@@ -717,10 +757,11 @@ async function executeJob(job, runDir, defaultCwd, onPid) {
     child.on('error', (err) => {
       clearAllTimers();
       const durationMs = Date.now() - startedAt;
-      fs.writeSync(fd, `\n[scheduler] error: ${err.message}\n`);
+      safeLog(`\n[scheduler] error: ${err.message}\n`);
       closeFd();
-      atomicWriteJson(metaPath, { slug: job.slug, cwd, exitCode: -1, error: err.message, startedAt, finishedAt: Date.now(), durationMs });
-      resolve({ exitCode: -1, durationMs, error: err.message });
+      // Sync write: child event handler must flush meta before resolve().
+      atomicWriteJsonSync(metaPath, { slug: job.slug, cwd, sessionId, exitCode: -1, error: err.message, startedAt, finishedAt: Date.now(), durationMs });
+      resolve({ exitCode: -1, durationMs, error: err.message, sessionId });
     });
 
     child.on('exit', (code, signal) => {
@@ -737,19 +778,21 @@ async function executeJob(job, runDir, defaultCwd, onPid) {
       const mappedToSuccess = agentResultSubtype === 'success' && killedBySignal;
       if (mappedToSuccess) {
         effectiveCode = 0;
-        fs.writeSync(fd, `\n[scheduler] mapping exit code=${code} signal=${signal} → 0 ` +
+        safeLog(`\n[scheduler] mapping exit code=${code} signal=${signal} → 0 ` +
           `(result=success was emitted before kill)\n`);
       }
-      fs.writeSync(fd, `\n[scheduler] exit code=${effectiveCode} (raw code=${code} signal=${signal}) ` +
+      safeLog(`\n[scheduler] exit code=${effectiveCode} (raw code=${code} signal=${signal}) ` +
         `duration=${Math.round(durationMs / 1000)}s\n`);
       closeFd();
       const rateLimited = effectiveCode !== 0 && detectRateLimitInLog(logPath);
-      atomicWriteJson(metaPath, {
-        slug: job.slug, cwd, exitCode: effectiveCode, rateLimited,
+      // Sync write: child 'exit' handler must flush meta before resolve()
+      // so the spawnJob mutate() that follows sees the persisted exit code.
+      atomicWriteJsonSync(metaPath, {
+        slug: job.slug, cwd, sessionId, exitCode: effectiveCode, rateLimited,
         startedAt, finishedAt: Date.now(), durationMs,
         agentResultSubtype, mappedFromSignal: mappedToSuccess ? signal || `code=${code}` : null,
       });
-      resolve({ exitCode: effectiveCode, durationMs, rateLimited });
+      resolve({ exitCode: effectiveCode, durationMs, rateLimited, sessionId });
     });
   });
 }
@@ -859,23 +902,6 @@ function isFixPlanSlug(slug) {
   return /^\d+-fix-/.test(slug);
 }
 
-/**
- * Read the last `bytes` of a file as utf8. Returns '' on error.
- */
-function readTail(filePath, bytes) {
-  try {
-    const stat = fs.statSync(filePath);
-    const n = Math.min(stat.size, bytes);
-    const fd = fs.openSync(filePath, 'r');
-    const buf = Buffer.alloc(n);
-    fs.readSync(fd, buf, 0, n, stat.size - n);
-    fs.closeSync(fd);
-    return buf.toString('utf8');
-  } catch {
-    return '';
-  }
-}
-
 /**
  * Spawn an Opus investigation session for a failed job. The investigator's job
  * is to read the failure log + original PRD, identify the root cause, and write
@@ -897,7 +923,7 @@ async function spawnInvestigation(failedJob, runDir) {
 
   let originalBody = '';
   try {
-    originalBody = parsePrd(path.join(PRDS_DIR, `${failedJob.slug}.md`)).body;
+    originalBody = (await parsePrd(path.join(PRDS_DIR, `${failedJob.slug}.md`))).body;
   } catch {
     originalBody = failedJob.bodyPreview || '(original PRD missing from disk)';
   }
@@ -914,7 +940,16 @@ async function spawnInvestigation(failedJob, runDir) {
     return;
   }
 
-  const cwd = failedJob.cwd || DEFAULT_PROJECT_CWD;
+  // cwd fallback: if the failed job's cwd is missing on disk, the investigator
+  // child would itself fail to spawn (ENOENT). Fall back to DEFAULT_PROJECT_CWD
+  // so the investigation can still write a fix plan that updates the cwd or
+  // re-creates the missing project directory.
+  let cwd = failedJob.cwd || DEFAULT_PROJECT_CWD;
+  try { fs.accessSync(cwd, fs.constants.X_OK); }
+  catch {
+    console.warn(`[scheduler] investigation cwd missing (${cwd}); falling back to ${DEFAULT_PROJECT_CWD}`);
+    cwd = DEFAULT_PROJECT_CWD;
+  }
   const prompt = `You are investigating a failed scheduled job in the session-manager queue. Your ONLY job is to write a fix-plan PRD file. Do NOT attempt the fix yourself.
 
 # Failed job
@@ -960,26 +995,37 @@ ${logTail}
 DO NOT attempt the fix. ONLY write the file. When the file exists, exit immediately.`;
 
   const fd = fs.openSync(investigationLogPath, 'a');
-  fs.writeSync(fd, `[scheduler] investigation starting for ${failedJob.slug} at ${new Date().toISOString()}\n[scheduler] target fix PRD: ${fixPath}\n\n`);
+  const sessionId = randomUUID();
+  try {
+    fs.writeSync(fd, `[scheduler] investigation starting for ${failedJob.slug} at ${new Date().toISOString()}\n[scheduler] target fix PRD: ${fixPath}\n[scheduler] sessionId=${sessionId}\n\n`);
+  } catch { /* */ }
 
   const claudeBin = resolveClaudeBin();
   const childEnv = cleanChildEnv();
-  const child = spawn(claudeBin, [
-    '-p', prompt,
-    '--model', 'opus',
-    '--dangerously-skip-permissions',
-    '--output-format', 'stream-json',
-    '--verbose',
-  ], {
-    cwd,
-    env: childEnv,
-    stdio: ['ignore', fd, fd],
-  });
+  let child;
+  try {
+    child = spawn(claudeBin, [
+      '-p', prompt,
+      '--model', 'opus',
+      '--dangerously-skip-permissions',
+      '--output-format', 'stream-json',
+      '--verbose',
+      '--session-id', sessionId,
+    ], {
+      cwd,
+      env: childEnv,
+      stdio: ['ignore', fd, fd],
+    });
+  } catch (e) {
+    try { fs.writeSync(fd, `\n[scheduler] investigation spawn failed: ${e?.message ?? e}\n`); } catch { /* */ }
+    try { fs.closeSync(fd); } catch { /* */ }
+    return;
+  }
 
-  fs.writeSync(fd, `[scheduler] investigation pid=${child.pid}\n\n`);
+  try { fs.writeSync(fd, `[scheduler] investigation pid=${child.pid}\n\n`); } catch { /* */ }
 
   const watchdog = setTimeout(() => {
-    fs.writeSync(fd, `\n[scheduler] investigation watchdog SIGKILL after ${MAX_INVESTIGATION_DURATION_MS}ms\n`);
+    try { fs.writeSync(fd, `\n[scheduler] investigation watchdog SIGKILL after ${MAX_INVESTIGATION_DURATION_MS}ms\n`); } catch { /* */ }
     try { child.kill('SIGKILL'); } catch { /* already dead */ }
   }, MAX_INVESTIGATION_DURATION_MS);
   if (watchdog.unref) watchdog.unref();
@@ -1015,15 +1061,17 @@ async function spawnJob(job, runId, runDir, defaultCwd) {
         s.jobs[idx].startedAt = new Date().toISOString();
       }
     });
-    broadcast();
+    await broadcast();
 
-    const res = await executeJob(job, runDir, defaultCwd, async (pid) => {
+    const res = await executeJob(job, runDir, defaultCwd, async (pid, sessionId, cwd) => {
       await mutate((s) => {
         const idx = s.jobs.findIndex((x) => x.slug === job.slug);
         if (idx >= 0) {
-          s.jobs[idx].runtime = { pid, runId, startedAt: s.jobs[idx].startedAt };
+          s.jobs[idx].sessionId = sessionId;
+          s.jobs[idx].runtime = { pid, runId, startedAt: s.jobs[idx].startedAt, sessionId, cwd };
         }
       });
+      await broadcast();
     });
 
     if (res.rateLimited) {
@@ -1052,7 +1100,7 @@ async function spawnJob(job, runId, runDir, defaultCwd) {
         }
       }
     });
-    broadcast();
+    await broadcast();
 
     if (actuallyFailed && failedJobSnapshot) {
       spawnInvestigation(failedJobSnapshot, runDir).catch((e) => {
@@ -1075,20 +1123,20 @@ let tickTail = Promise.resolve();
 
 function tickQueue() {
   const next = tickTail.then(async () => {
-    const state = readQueue();
+    const state = await readQueue();
     if (state.paused) {
       console.log('[scheduler] tickQueue skipped: paused');
       return;
     }
     if (cancelToken.cancelled) return;
 
-    reconcile(state);
+    await reconcile(state);
     const cap = ENV_CAP ?? state.config.concurrencyCap;
     const batch = pickNextBatch(state.jobs, runningSet, cap);
     if (batch.length === 0) return;
 
     await mutate((s) => { s.lastRunAt = new Date().toISOString(); });
-    broadcast();
+    await broadcast();
 
     const { runId, dir: runDir } = pickRunDir();
     for (const job of batch) {
@@ -1102,7 +1150,7 @@ function tickQueue() {
 }
 
 async function runDueJobs() {
-  const state = readQueue();
+  const state = await readQueue();
   if (state.paused) {
     console.log('[scheduler] runDueJobs skipped: paused');
     return;
@@ -1111,7 +1159,7 @@ async function runDueJobs() {
   await tickQueue();
   // Clear the one-shot scheduledFor without waiting for jobs to settle.
   await mutate((s) => { s.scheduledFor = null; });
-  broadcast();
+  await broadcast();
 }
 
 // ---------- when-available launch logic ----------
@@ -1123,7 +1171,7 @@ async function maybeLaunchWhenAvailable(state) {
   if (pending.length === 0) return;
   if (cachedUtilization === null || cachedUtilization === undefined) return;
   if (cachedUtilization >= state.config.utilizationThreshold) {
-    broadcast();
+    await broadcast();
     return;
   }
   console.log(`[scheduler] when-available: util=${cachedUtilization}%, ${pending.length} pending, ${runningSet.size} running — ticking`);
@@ -1150,7 +1198,7 @@ async function pollLoop() {
       persistSchedulerState();
 
       // If a 'network' pause resolved, clear it now that we have a good reading.
-      const cur = readQueue();
+      const cur = await readQueue();
       if (cur.paused?.reason === 'network') {
         await clearPause('network-recovered');
       }
@@ -1160,7 +1208,7 @@ async function pollLoop() {
       }
 
       await maybeLaunchWhenAvailable(cur);
-      broadcast();
+      await broadcast();
     } else if (r.kind === 'meter_rate_limited') {
       // Billing meter is itself being rate-limited. Treat as "utilization unknown but safe":
       // fire available jobs anyway at utilization=0 rather than pausing the queue.
@@ -1171,9 +1219,9 @@ async function pollLoop() {
       // Don't update firstNon429FailureAt — 429s don't count toward the 30-min network-pause threshold.
       cachedUtilization = 0; // assume safe; fire any pending work
       console.log(`[scheduler] billing meter rate-limited (HTTP 429) — firing on heuristic (failure #${consecutiveFailures})`);
-      const cur = readQueue();
+      const cur = await readQueue();
       await maybeLaunchWhenAvailable(cur);
-      broadcast();
+      await broadcast();
     } else {
       lastPollAt = Date.now();
       lastPollOk = false;
@@ -1194,7 +1242,7 @@ async function pollLoop() {
 
         // After 30 minutes of consecutive non-429 failures, set 'network' pause.
         if (totalNon429FailureMs > 30 * 60_000) {
-          const cur2 = readQueue();
+          const cur2 = await readQueue();
           if (!cur2.paused || cur2.paused.reason === 'network') {
             await setPaused('network', null);
           }
@@ -1229,23 +1277,14 @@ function registerScheduleHandlers() {
   supervisor.registerHandlers();
 
   ipcMain.handle('schedule:state', async () => {
-    const state = readQueue();
-    reconcile(state);
-    writeQueue(state);
-    return {
-      config: state.config,
-      jobs: state.jobs,
-      scheduledFor: state.scheduledFor,
-      lastRunAt: state.lastRunAt,
-      nextReset: getNextResetCached(),
-      paused: state.paused,
-      utilization: cachedUtilization,
-      paths: { root: ROOT, prds: PRDS_DIR, runs: RUNS_DIR, queue: QUEUE_PATH },
-    };
+    const state = await readQueue();
+    await reconcile(state);
+    await writeQueue(state);
+    return buildScheduleStatePayload(state, { withPaths: true });
   });
 
   ipcMain.handle('schedule:health', async () => {
-    const state = readQueue();
+    const state = await readQueue();
     const runningJobs = [];
     for (const j of state.jobs) {
       if (j.status === 'running' && j.runtime) {
@@ -1274,15 +1313,14 @@ function registerScheduleHandlers() {
     // Bypass the billing-poll gate entirely — fire pending jobs immediately regardless of meter state.
     // Clears any existing pause first (same semantics as run-now).
     await clearPause('run-now');
-    runDueJobs().catch((e) => console.error('[scheduler] runDueJobs error (force-tick)', e));
+    runDueJobs().catch((e) => logs.writeLine({ level: 'error', scope: 'scheduler', message: 'runDueJobs error (force-tick)', meta: { error: e?.message } }));
     return { ok: true };
   });
 
   ipcMain.handle('schedule:set-config', async (_e, partial) => {
-    const { schemas: s } = require('./ipcSchemas.cjs');
     let validated;
     try {
-      validated = s.setConfigSchema.parse(partial || {});
+      validated = schemas.setConfigSchema.parse(partial || {});
     } catch (e) {
       return { ok: false, error: e?.message ?? 'invalid config' };
     }
@@ -1299,18 +1337,13 @@ function registerScheduleHandlers() {
   });
 
   ipcMain.handle('schedule:reset-job', async (_e, payload) => {
-    const { schemas: s } = require('./ipcSchemas.cjs');
     let slug;
     try {
-      ({ slug } = s.scheduleSlug.parse(payload));
+      ({ slug } = schemas.scheduleSlug.parse(payload));
     } catch (e) {
       return { ok: false, error: 'invalid slug' };
     }
-    // Containment check after path.join.
-    const resolved = path.resolve(path.join(PRDS_DIR, `${slug}.md`));
-    if (!resolved.startsWith(PRDS_DIR + path.sep)) {
-      return { ok: false, error: 'invalid slug' };
-    }
+    if (!safeSlugPath(slug)) return { ok: false, error: 'invalid slug' };
     const found = await mutate((state) => {
       const idx = state.jobs.findIndex((j) => j.slug === slug);
       if (idx < 0) return false;
@@ -1318,14 +1351,14 @@ function registerScheduleHandlers() {
       return true;
     });
     if (!found) return { ok: false, error: 'not found' };
-    broadcast();
+    await broadcast();
     return { ok: true };
   });
 
   ipcMain.handle('schedule:run-now', async () => {
     // Manual run-now overrides any auto-pause. Clear it first.
     await clearPause('run-now');
-    runDueJobs().catch((e) => console.error('[scheduler] runDueJobs error', e));
+    runDueJobs().catch((e) => logs.writeLine({ level: 'error', scope: 'scheduler', message: 'runDueJobs error (run-now)', meta: { error: e?.message } }));
     return { ok: true };
   });
 
@@ -1344,11 +1377,11 @@ function registerScheduleHandlers() {
   // handler already reconciles on read, but this gives the renderer an
   // explicit refresh path that also broadcasts so all views update.
   ipcMain.handle('schedule:rescan', async () => {
-    await mutate((state) => {
-      reconcile(state);
+    await mutate(async (state) => {
+      await reconcile(state);
       return null;
     });
-    broadcast();
+    await broadcast();
     return { ok: true };
   });
 
@@ -1360,12 +1393,12 @@ function registerScheduleHandlers() {
     ensureDirs();
     const ts = new Date().toISOString().replace(/[:.]/g, '-');
     const archiveDir = path.join(PRDS_ARCHIVE_DIR, ts);
-    const state = readQueue();
+    const state = await readQueue();
     const victims = state.jobs.filter((j) => j.status === 'pending' || j.status === 'failed');
     if (victims.length === 0) {
       return { ok: true, archived: 0, archivedTo: null };
     }
-    fs.mkdirSync(archiveDir, { recursive: true });
+    await fsp.mkdir(archiveDir, { recursive: true });
     let archived = 0;
     for (const job of victims) {
       const src = path.resolve(path.join(PRDS_DIR, `${job.slug}.md`));
@@ -1378,17 +1411,17 @@ function registerScheduleHandlers() {
         // ENOENT: the .md is already gone (reconcile would drop it on next
         // read anyway). Either way, fall through and remove from queue.
         if (e?.code !== 'ENOENT') {
-          console.warn('[scheduler] clear-queue: rename failed', job.slug, e?.message);
+          logs.writeLine({ level: 'warn', scope: 'scheduler', message: 'clear-queue: rename failed', meta: { slug: job.slug, error: e?.message } });
         }
       }
     }
-    await mutate((s) => {
+    await mutate(async (s) => {
       const victimSlugs = new Set(victims.map((j) => j.slug));
       s.jobs = s.jobs.filter((j) => !victimSlugs.has(j.slug));
-      reconcile(s);
+      await reconcile(s);
       return null;
     });
-    broadcast();
+    await broadcast();
     return { ok: true, archived, archivedTo: archiveDir };
   });
 
@@ -1399,17 +1432,14 @@ function registerScheduleHandlers() {
   });
 
   ipcMain.handle('schedule:read-prd', async (_e, payload) => {
-    const { schemas: s } = require('./ipcSchemas.cjs');
     let slug;
     try {
-      ({ slug } = s.scheduleSlug.parse(payload));
+      ({ slug } = schemas.scheduleSlug.parse(payload));
     } catch {
       return { ok: false, error: 'invalid slug' };
     }
-    const filePath = path.resolve(path.join(PRDS_DIR, `${slug}.md`));
-    if (!filePath.startsWith(PRDS_DIR + path.sep)) {
-      return { ok: false, error: 'invalid slug' };
-    }
+    const filePath = safeSlugPath(slug);
+    if (!filePath) return { ok: false, error: 'invalid slug' };
     try {
       const text = await fsp.readFile(filePath, 'utf8');
       return { ok: true, text };
@@ -1419,13 +1449,14 @@ function registerScheduleHandlers() {
   });
 
   ipcMain.handle('schedule:read-log', async (_e, payload) => {
-    const { schemas: s } = require('./ipcSchemas.cjs');
     let slug, runId;
     try {
-      ({ slug, runId } = s.scheduleReadLog.parse(payload));
+      ({ slug, runId } = schemas.scheduleReadLog.parse(payload));
     } catch {
       return { ok: false, error: 'invalid slug or runId' };
     }
+    // Defense-in-depth: re-check containment after path.resolve even though
+    // SLUG_RE / RUN_ID_RE already forbid path separators.
     const logPath = path.resolve(path.join(RUNS_DIR, runId, `${slug}.log`));
     if (!logPath.startsWith(RUNS_DIR + path.sep)) {
       return { ok: false, error: 'invalid slug or runId' };
@@ -1438,21 +1469,23 @@ function registerScheduleHandlers() {
     }
   });
 
-  const PRD_WRITE_MAX_BYTES = 256 * 1024;
-  const SLUG_RE = /^[A-Za-z0-9._-]{1,128}$/;
-
-  ipcMain.handle('schedule:write-prd', async (_e, { slug, body }) => {
-    if (!SLUG_RE.test(slug)) throw new Error(`invalid slug: ${slug}`);
-    if (typeof body !== 'string') throw new Error('body must be string');
-    if (Buffer.byteLength(body, 'utf8') > PRD_WRITE_MAX_BYTES) throw new Error('body too large');
-    const file = path.join(PRDS_DIR, `${slug}.md`);
-    const resolved = path.resolve(file);
-    if (!resolved.startsWith(PRDS_DIR + path.sep)) throw new Error('path escape');
-    const tmp = `${resolved}.${process.pid}.${Date.now()}.tmp`;
-    await fsp.writeFile(tmp, body, { encoding: 'utf8', mode: 0o644 });
-    await fsp.rename(tmp, resolved);
-    const stat = await fsp.stat(resolved);
-    return { ok: true, bytesWritten: stat.size };
+  ipcMain.handle('schedule:write-prd', async (_e, payload) => {
+    let parsed;
+    try { parsed = schemas.scheduleWritePrd.parse(payload); }
+    catch (e) { return { ok: false, error: e?.message ?? 'invalid payload' }; }
+    const resolved = safeSlugPath(parsed.slug);
+    if (!resolved) return { ok: false, error: 'invalid slug' };
+    try {
+      await config.writeTextAtomic(resolved, parsed.body);
+    } catch (e) {
+      return { ok: false, error: e?.message ?? 'write failed' };
+    }
+    try {
+      const stat = await fsp.stat(resolved);
+      return { ok: true, bytesWritten: stat.size };
+    } catch (e) {
+      return { ok: false, error: e?.message ?? 'stat failed' };
+    }
   });
 
   ipcMain.handle('schedule:list-prds', async () => {
@@ -1460,7 +1493,8 @@ function registerScheduleHandlers() {
     let entries;
     try {
       entries = await fsp.readdir(PRDS_DIR);
-    } catch {
+    } catch (e) {
+      logs.writeLine({ level: 'warn', scope: 'scheduler', message: 'list-prds: readdir failed', meta: { error: e?.message } });
       return [];
     }
     const out = [];
@@ -1468,7 +1502,7 @@ function registerScheduleHandlers() {
       if (!name.endsWith('.md') || name.startsWith('.')) continue;
       const filePath = path.join(PRDS_DIR, name);
       try {
-        const parsed = parsePrd(filePath);
+        const parsed = await parsePrd(filePath);
         const stat = await fsp.stat(filePath);
         out.push({
           slug: parsed.slug,
@@ -1479,7 +1513,7 @@ function registerScheduleHandlers() {
           mtimeMs: stat.mtimeMs,
         });
       } catch (e) {
-        console.warn('[scheduler] list-prds: skipping unparseable', name, e?.message);
+        logs.writeLine({ level: 'warn', scope: 'scheduler', message: 'list-prds: skipping unparseable file', meta: { name, error: e?.message } });
       }
     }
     out.sort((a, b) => a.slug.localeCompare(b.slug, undefined, { numeric: true }));
@@ -1509,7 +1543,7 @@ async function init() {
 
   // If we boot up while paused with a resumeAt in the past, clear it. This
   // happens when the app was closed across the reset window.
-  const boot = readQueue();
+  const boot = await readQueue();
   if (boot.paused && boot.paused.resumeAt && new Date(boot.paused.resumeAt).getTime() <= Date.now()) {
     await clearPause('boot-elapsed');
   } else if (boot.paused && boot.paused.resumeAt) {
@@ -1530,15 +1564,20 @@ async function init() {
   pollLoopTimer = setTimeout(() => { pollLoop().catch(() => {}); }, USAGE_REFRESH_INTERVAL_MS);
   if (pollLoopTimer.unref) pollLoopTimer.unref();
 
-  // Supervisor: probe running jobs for wedged poll-loops.
+  // Supervisor: probe running jobs for wedged poll-loops. Supervisor calls
+  // its injected readQueue() synchronously from supervisorTick and applyAction,
+  // so pass the sync variant; the 15-min probe cadence makes the blocking cost
+  // negligible vs IPC handler latency.
   if (process.env.SM_SUPERVISOR_DISABLE !== '1') {
-    supervisor.startSupervisor({ readQueue, mutate });
+    supervisor.startSupervisor({ readQueue: readQueueSync });
   }
 
   // Heartbeat: once per minute, log queue state for 24h visibility.
+  // setInterval callback is sync; readQueueSync stays sync to avoid awaiting
+  // inside the timer body (and the 60s cadence makes the cost moot).
   if (heartbeatInterval) clearInterval(heartbeatInterval);
   heartbeatInterval = setInterval(() => {
-    const s = readQueue();
+    const s = readQueueSync();
     const counts = { pending: 0, running: 0, completed: 0, failed: 0 };
     for (const j of s.jobs) counts[j.status] = (counts[j.status] || 0) + 1;
     appendHeartbeat({
@@ -1560,8 +1599,10 @@ async function init() {
       if (pollLoopTimer) { clearTimeout(pollLoopTimer); pollLoopTimer = null; }
       backoffMs = 0;
       backoffNextAt = null;
-      // Clear any paused-but-resumeAt-elapsed state immediately.
-      const wakeState = readQueue();
+      // Clear any paused-but-resumeAt-elapsed state immediately. Sync read:
+      // the powerMonitor 'resume' callback fires rarely and isn't on the IPC
+      // hot path; switching to async would require an IIFE wrapper for no gain.
+      const wakeState = readQueueSync();
       if (wakeState.paused?.resumeAt && new Date(wakeState.paused.resumeAt).getTime() <= Date.now()) {
         clearPause('boot-elapsed').then(() => { runDueJobs().catch(() => {}); }).catch(() => {});
       }