codekin 0.5.0 → 0.5.2

package/server/dist/session-manager.js

@@ -24,6 +24,7 @@ import { homedir } from 'os';
 import path from 'path';
 import { promisify } from 'util';
 import { ClaudeProcess } from './claude-process.js';
+import { PlanManager } from './plan-manager.js';
 import { SessionArchive } from './session-archive.js';
 import { cleanupWorkspace } from './webhook-workspace.js';
 import { PORT } from './config.js';
@@ -36,12 +37,20 @@ import { evaluateRestart } from './session-restart-scheduler.js';
 const execFileAsync = promisify(execFile);
 /** Max messages retained in a session's output history buffer. */
 const MAX_HISTORY = 2000;
-/** No-output duration before emitting a stall warning (5 minutes). */
-const STALL_TIMEOUT_MS = 5 * 60 * 1000;
 /** Max API error retries per turn before giving up. */
 const MAX_API_RETRIES = 3;
 /** Base delay for API error retry (doubles each attempt: 3s, 6s, 12s). */
 const API_RETRY_BASE_DELAY_MS = 3000;
+/** How long a session can be idle (no clients, no activity) before its process is stopped. */
+const IDLE_SESSION_TIMEOUT_MS = 30 * 60 * 1000; // 30 minutes
+/** How often to check for idle sessions. */
+const IDLE_CHECK_INTERVAL_MS = 5 * 60 * 1000; // 5 minutes
+/** How old a dead session must be before automatic pruning (7 days). */
+const STALE_SESSION_AGE_MS = 7 * 24 * 60 * 60 * 1000;
+/** Number of Claude turns before showing a context compression warning. */
+const CONTEXT_WARNING_TURN_THRESHOLD = 15;
+/** Second warning at this threshold. */
+const CONTEXT_CRITICAL_TURN_THRESHOLD = 25;
 /** Patterns in result text that indicate a transient API error worth retrying. */
 const API_RETRY_PATTERNS = [
     /api_error/i,
@@ -80,6 +89,8 @@ export class SessionManager {
     sessionPersistence;
     /** Delegated diff operations (git diff, discard changes). */
     diffManager;
+    /** Interval handle for the idle session reaper. */
+    _idleReaperInterval = null;
     constructor() {
         this.archive = new SessionArchive();
         this._approvalManager = new ApprovalManager();
@@ -91,6 +102,62 @@ export class SessionManager {
             rename: (sessionId, newName) => this.rename(sessionId, newName),
         });
         this.sessionPersistence.restoreFromDisk();
+        // Wire PlanManager events for restored sessions
+        for (const session of this.sessions.values()) {
+            this.wirePlanManager(session);
+        }
+        // Start idle session reaper
+        this._idleReaperInterval = setInterval(() => this.reapIdleSessions(), IDLE_CHECK_INTERVAL_MS);
+    }
+    /**
+     * Stop Claude processes for sessions that have been idle too long.
+     * A session is idle when it has no connected clients and no activity
+     * for IDLE_SESSION_TIMEOUT_MS. Only stops the process — does not delete
+     * the session, so it can be resumed later via --resume.
+     * Headless sessions (webhook, workflow, stepflow) are exempt.
+     */
+    reapIdleSessions() {
+        const now = Date.now();
+        for (const session of this.sessions.values()) {
+            // Skip headless sessions — they are managed by their own lifecycles
+            if (session.source === 'webhook' || session.source === 'workflow' || session.source === 'stepflow')
+                continue;
+            // Skip sessions with connected clients or no running process
+            if (session.clients.size > 0 || !session.claudeProcess?.isAlive())
+                continue;
+            // Skip sessions that are actively processing
+            if (session.isProcessing)
+                continue;
+            const idleMs = now - session._lastActivityAt;
+            if (idleMs > IDLE_SESSION_TIMEOUT_MS) {
+                console.log(`[idle-reaper] stopping idle session=${session.id} name="${session.name}" idle=${Math.round(idleMs / 60_000)}min`);
+                session._stoppedByUser = true; // prevent auto-restart
+                session.claudeProcess.removeAllListeners();
+                session.claudeProcess.stop();
+                session.claudeProcess = null;
+                session.isProcessing = false;
+                const msg = { type: 'system_message', subtype: 'exit', text: 'Claude process stopped due to inactivity. It will resume when you send a new message.' };
+                this.addToHistory(session, msg);
+                this.persistToDiskDebounced();
+                this._globalBroadcast?.({ type: 'sessions_updated' });
+            }
+        }
+        // Prune stale sessions: no process, no clients, older than STALE_SESSION_AGE_MS
+        const staleIds = [];
+        for (const session of this.sessions.values()) {
+            if (session.claudeProcess?.isAlive())
+                continue;
+            if (session.clients.size > 0)
+                continue;
+            const ageMs = now - new Date(session.created).getTime();
+            if (ageMs > STALE_SESSION_AGE_MS) {
+                staleIds.push(session.id);
+            }
+        }
+        for (const id of staleIds) {
+            console.log(`[idle-reaper] pruning stale session=${id} (age > ${STALE_SESSION_AGE_MS / 86_400_000}d)`);
+            this.delete(id);
+        }
     }
     // ---------------------------------------------------------------------------
     // Approval — direct accessor (callers use sessions.approvalManager.xxx)
@@ -143,16 +210,19 @@ export class SessionManager {
             restartCount: 0,
             lastRestartAt: null,
             _stoppedByUser: false,
-            _stallTimer: null,
             _wasActiveBeforeRestart: false,
             _apiRetryCount: 0,
             _turnCount: 0,
+            _claudeTurnCount: 0,
             _namingAttempts: 0,
             isProcessing: false,
             pendingControlRequests: new Map(),
             pendingToolApprovals: new Map(),
             _leaveGraceTimer: null,
+            _lastActivityAt: Date.now(),
+            planManager: new PlanManager(),
         };
+        this.wirePlanManager(session);
         this.sessions.set(id, session);
         this.persistToDisk();
         this._globalBroadcast?.({ type: 'sessions_updated' });
@@ -327,6 +397,11 @@ export class SessionManager {
      *  The `willRestart` flag indicates whether the session will be auto-restarted. */
     onSessionExit(listener) {
         this._exitListeners.push(listener);
+        return () => {
+            const idx = this._exitListeners.indexOf(listener);
+            if (idx >= 0)
+                this._exitListeners.splice(idx, 1);
+        };
     }
     /** Register a listener called when any session emits a prompt (permission request or question). */
     onSessionPrompt(listener) {
@@ -335,6 +410,11 @@ export class SessionManager {
     /** Register a listener called when any session completes a turn (result event). */
     onSessionResult(listener) {
         this._resultListeners.push(listener);
+        return () => {
+            const idx = this._resultListeners.indexOf(listener);
+            if (idx >= 0)
+                this._resultListeners.splice(idx, 1);
+        };
     }
     get(id) {
         return this.sessions.get(id);
@@ -386,7 +466,7 @@ export class SessionManager {
             groupDir: s.groupDir,
             worktreePath: s.worktreePath,
             connectedClients: s.clients.size,
-            lastActivity: s.created,
+            lastActivity: new Date(s._lastActivityAt).toISOString(),
             source: s.source,
         }));
     }
@@ -403,7 +483,7 @@ export class SessionManager {
             groupDir: s.groupDir,
             worktreePath: s.worktreePath,
             connectedClients: s.clients.size,
-            lastActivity: s.created,
+            lastActivity: new Date(s._lastActivityAt).toISOString(),
             source: s.source,
         }));
     }
@@ -430,6 +510,7 @@ export class SessionManager {
         }
         session.clients.add(ws);
         this.clientSessionMap.set(ws, sessionId);
+        session._lastActivityAt = Date.now();
         // Re-broadcast pending tool approval prompts (PreToolUse hook path)
         for (const pending of session.pendingToolApprovals.values()) {
             if (pending.promptMsg) {
@@ -488,7 +569,6 @@ export class SessionManager {
             return false;
         // Prevent auto-restart when deleting
         session._stoppedByUser = true;
-        this.clearStallTimer(session);
         if (session._apiRetryTimer)
             clearTimeout(session._apiRetryTimer);
         if (session._namingTimer)
@@ -599,17 +679,47 @@ export class SessionManager {
         const repoDir = session.groupDir ?? session.workingDir;
         const registryPatterns = this._approvalManager.getAllowedToolsForRepo(repoDir);
         const mergedAllowedTools = [...new Set([...(session.allowedTools || []), ...registryPatterns])];
-        const cp = new ClaudeProcess(session.workingDir, session.claudeSessionId || undefined, extraEnv, session.model, session.permissionMode, resume, mergedAllowedTools);
+        const cp = new ClaudeProcess(session.workingDir, {
+            sessionId: session.claudeSessionId || undefined,
+            extraEnv,
+            model: session.model,
+            permissionMode: session.permissionMode,
+            resume,
+            allowedTools: mergedAllowedTools,
+        });
         this.wireClaudeEvents(cp, session, sessionId);
         cp.start();
         session.claudeProcess = cp;
-        this.resetStallTimer(session);
         this._globalBroadcast?.({ type: 'sessions_updated' });
         const startMsg = { type: 'claude_started', sessionId };
         this.addToHistory(session, startMsg);
         this.broadcast(session, startMsg);
         return true;
     }
+    /**
+     * Wait for a session's Claude process to emit its system_init event,
+     * indicating it is ready to accept input. Resolves immediately if the
+     * session already has a claudeSessionId (process previously initialized).
+     * Times out after `timeoutMs` (default 30s) to avoid hanging indefinitely.
+     */
+    waitForReady(sessionId, timeoutMs = 30_000) {
+        const session = this.sessions.get(sessionId);
+        if (!session?.claudeProcess)
+            return Promise.resolve();
+        // If the process already completed init in a prior turn, resolve immediately
+        if (session.claudeSessionId)
+            return Promise.resolve();
+        return new Promise((resolve) => {
+            const timer = setTimeout(() => {
+                console.warn(`[waitForReady] Timed out waiting for system_init on ${sessionId} after ${timeoutMs}ms`);
+                resolve();
+            }, timeoutMs);
+            session.claudeProcess.once('system_init', () => {
+                clearTimeout(timer);
+                resolve();
+            });
+        });
+    }
     /**
      * Attach all ClaudeProcess event listeners for a session.
      * Extracted from startClaude() to keep that method focused on process setup.
@@ -622,11 +732,23 @@ export class SessionManager {
         cp.on('image', (base64Data, mediaType) => this.onImageEvent(session, base64Data, mediaType));
         cp.on('tool_active', (toolName, toolInput) => this.onToolActiveEvent(session, toolName, toolInput));
         cp.on('tool_done', (toolName, summary) => this.onToolDoneEvent(session, toolName, summary));
-        cp.on('planning_mode', (active) => { this.broadcastAndHistory(session, { type: 'planning_mode', active }); });
+        cp.on('planning_mode', (active) => {
+            // Route EnterPlanMode through PlanManager for UI state tracking.
+            // ExitPlanMode (active=false) is ignored here — the PreToolUse hook
+            // is the enforcement gate, and it calls handleExitPlanModeApproval()
+            // which transitions PlanManager to 'reviewing'.
+            if (active) {
+                session.planManager.onEnterPlanMode();
+            }
+            // ExitPlanMode stream event intentionally ignored — hook handles it.
+        });
         cp.on('todo_update', (tasks) => { this.broadcastAndHistory(session, { type: 'todo_update', tasks }); });
         cp.on('prompt', (...args) => this.onPromptEvent(session, ...args));
         cp.on('control_request', (requestId, toolName, toolInput) => this.onControlRequestEvent(cp, session, sessionId, requestId, toolName, toolInput));
-        cp.on('result', (result, isError) => { this.resetStallTimer(session); this.handleClaudeResult(session, sessionId, result, isError); });
+        cp.on('result', (result, isError) => {
+            session.planManager.onTurnEnd();
+            this.handleClaudeResult(session, sessionId, result, isError);
+        });
         cp.on('error', (message) => this.broadcast(session, { type: 'error', message }));
         cp.on('exit', (code, signal) => { cp.removeAllListeners(); this.handleClaudeExit(session, sessionId, code, signal); });
     }
@@ -635,6 +757,20 @@ export class SessionManager {
         this.addToHistory(session, msg);
         this.broadcast(session, msg);
     }
+    /**
+     * Wire PlanManager events for a session.
+     * Called once at session creation (not per-process, since PlanManager outlives restarts).
+     * Idempotent — guards against double-wiring on restore + restart.
+     */
+    wirePlanManager(session) {
+        if (session._planManagerWired)
+            return;
+        session._planManagerWired = true;
+        const pm = session.planManager;
+        pm.on('planning_mode', (active) => {
+            this.broadcastAndHistory(session, { type: 'planning_mode', active });
+        });
+    }
     onSystemInit(cp, session, model) {
         session.claudeSessionId = cp.getSessionId();
         // Only show model message on first init or when model actually changes
@@ -644,30 +780,24 @@ export class SessionManager {
         }
     }
     onTextEvent(session, sessionId, text) {
-        this.resetStallTimer(session);
         this.broadcastAndHistory(session, { type: 'output', data: text });
         if (session.name.startsWith('hub:') && !session._namingTimer) {
             this.scheduleSessionNaming(sessionId);
         }
     }
     onThinkingEvent(session, summary) {
-        this.resetStallTimer(session);
         this.broadcast(session, { type: 'thinking', summary });
     }
     onToolOutputEvent(session, content, isError) {
-        this.resetStallTimer(session);
         this.broadcastAndHistory(session, { type: 'tool_output', content, isError });
     }
     onImageEvent(session, base64, mediaType) {
-        this.resetStallTimer(session);
         this.broadcastAndHistory(session, { type: 'image', base64, mediaType });
     }
     onToolActiveEvent(session, toolName, toolInput) {
-        this.resetStallTimer(session);
         this.broadcastAndHistory(session, { type: 'tool_active', toolName, toolInput });
     }
     onToolDoneEvent(session, toolName, summary) {
-        this.resetStallTimer(session);
         this.broadcastAndHistory(session, { type: 'tool_done', toolName, summary });
     }
     onPromptEvent(session, promptType, question, options, multiSelect, toolName, toolInput, requestId, questions) {
@@ -760,63 +890,121 @@ export class SessionManager {
      */
     handleClaudeResult(session, sessionId, result, isError) {
         session.isProcessing = false;
+        session._claudeTurnCount++;
         this._globalBroadcast?.({ type: 'sessions_updated' });
-        // Detect transient API errors and auto-retry the last user message
-        if (isError && session._lastUserInput && this.isRetryableApiError(result)) {
-            if (session._apiRetryCount < MAX_API_RETRIES) {
-                session._apiRetryCount++;
-                const attempt = session._apiRetryCount;
-                const delay = API_RETRY_BASE_DELAY_MS * Math.pow(2, attempt - 1);
-                const retryMsg = {
-                    type: 'system_message',
-                    subtype: 'restart',
-                    text: `API error (transient). Retrying automatically in ${delay / 1000}s (attempt ${attempt}/${MAX_API_RETRIES})...`,
-                };
-                this.addToHistory(session, retryMsg);
-                this.broadcast(session, retryMsg);
-                console.log(`[api-retry] session=${sessionId} attempt=${attempt}/${MAX_API_RETRIES} delay=${delay}ms error=${result.slice(0, 200)}`);
-                // Clear any previous retry timer
-                if (session._apiRetryTimer)
-                    clearTimeout(session._apiRetryTimer);
-                session._apiRetryTimer = setTimeout(() => {
-                    session._apiRetryTimer = undefined;
-                    if (!session.claudeProcess?.isAlive() || session._stoppedByUser)
-                        return;
-                    console.log(`[api-retry] resending message for session=${sessionId} attempt=${attempt}`);
-                    session.claudeProcess.sendMessage(session._lastUserInput);
-                }, delay);
-                return; // Don't broadcast result — we're retrying
-            }
-            // All retries exhausted
-            const exhaustedMsg = {
+        // Attempt API retry for transient errors — returns true if a retry was scheduled
+        if (isError && this.handleApiRetry(session, sessionId, result)) {
+            return;
+        }
+        // Warn about context window pressure at turn thresholds
+        this.checkContextWarning(session);
+        this.finalizeResult(session, sessionId, result, isError);
+    }
+    /**
+     * Emit a notification when the session has had enough turns that Claude's
+     * context window may start compressing older messages. Uses simple turn-count
+     * heuristic — imprecise but zero-risk and protocol-independent.
+     */
+    checkContextWarning(session) {
+        const turns = session._claudeTurnCount;
+        if (turns === CONTEXT_WARNING_TURN_THRESHOLD) {
+            const msg = {
+                type: 'system_message',
+                subtype: 'notification',
+                text: `This session has ${turns} turns. Claude may begin compressing older messages from its context window. Earlier parts of the conversation may no longer be fully available to Claude.`,
+            };
+            this.broadcastAndHistory(session, msg);
+            session._contextWarningShown = true;
+        }
+        else if (turns === CONTEXT_CRITICAL_TURN_THRESHOLD) {
+            const msg = {
                 type: 'system_message',
-                subtype: 'error',
-                text: `API error persisted after ${MAX_API_RETRIES} retries. ${result}`,
+                subtype: 'notification',
+                text: `This session has ${turns} turns. Claude's context window is likely under pressure — older messages may have been compressed or dropped. Consider starting a new session for best results.`,
             };
-            this.addToHistory(session, exhaustedMsg);
-            this.broadcast(session, exhaustedMsg);
+            this.broadcastAndHistory(session, msg);
+        }
+    }
+    /**
+     * Detect transient API errors and schedule an automatic retry.
+     * Returns true if a retry was scheduled (caller should skip result broadcast).
+     */
+    handleApiRetry(session, sessionId, result) {
+        if (!session._lastUserInput || !this.isRetryableApiError(result)) {
             session._apiRetryCount = 0;
+            return false;
         }
-        else {
-            // Non-retryable error or successful result — reset retry counter
+        // Skip retry if the original input is older than 60 seconds — context has likely moved on
+        if (session._lastUserInputAt && Date.now() - session._lastUserInputAt > 60_000) {
+            console.log(`[api-retry] skipping stale retry for session=${sessionId} (input age=${Math.round((Date.now() - session._lastUserInputAt) / 1000)}s)`);
             session._apiRetryCount = 0;
-            if (isError) {
-                const msg = { type: 'system_message', subtype: 'error', text: result };
-                this.addToHistory(session, msg);
-                this.broadcast(session, msg);
+            return false;
+        }
+        if (session._apiRetryCount < MAX_API_RETRIES) {
+            session._apiRetryCount++;
+            const attempt = session._apiRetryCount;
+            const delay = API_RETRY_BASE_DELAY_MS * Math.pow(2, attempt - 1);
+            const retryMsg = {
+                type: 'system_message',
+                subtype: 'restart',
+                text: `API error (transient). Retrying automatically in ${delay / 1000}s (attempt ${attempt}/${MAX_API_RETRIES})...`,
+            };
+            this.addToHistory(session, retryMsg);
+            this.broadcast(session, retryMsg);
+            console.log(`[api-retry] session=${sessionId} attempt=${attempt}/${MAX_API_RETRIES} delay=${delay}ms error=${result.slice(0, 200)}`);
+            if (session._apiRetryTimer)
+                clearTimeout(session._apiRetryTimer);
+            session._apiRetryTimer = setTimeout(() => {
+                session._apiRetryTimer = undefined;
+                if (!session.claudeProcess?.isAlive() || session._stoppedByUser)
+                    return;
+                console.log(`[api-retry] resending message for session=${sessionId} attempt=${attempt}`);
+                session.claudeProcess.sendMessage(session._lastUserInput);
+            }, delay);
+            return true;
+        }
+        // All retries exhausted
+        const exhaustedMsg = {
+            type: 'system_message',
+            subtype: 'error',
+            text: `API error persisted after ${MAX_API_RETRIES} retries. ${result}`,
+        };
+        this.addToHistory(session, exhaustedMsg);
+        this.broadcast(session, exhaustedMsg);
+        session._apiRetryCount = 0;
+        return false;
+    }
+    /**
+     * Broadcast the turn result, suppress orchestrator noise, notify listeners,
+     * and trigger session naming if needed.
+     */
+    finalizeResult(session, sessionId, result, isError) {
+        session._apiRetryCount = 0;
+        session._lastUserInput = undefined;
+        session._lastUserInputAt = undefined;
+        if (isError) {
+            const msg = { type: 'system_message', subtype: 'error', text: result };
+            this.addToHistory(session, msg);
+            this.broadcast(session, msg);
+        }
+        // Suppress noise from orchestrator/agent sessions
+        if ((session.source === 'orchestrator' || session.source === 'agent') && !isError) {
+            const turnText = this.extractCurrentTurnText(session);
+            if (turnText && turnText.length < 80 && /^(no response requested|please approve|nothing to do|no action needed|acknowledged)[.!]?$/i.test(turnText.trim())) {
+                this.stripCurrentTurnOutput(session);
+                console.log(`[noise-filter] suppressed orchestrator noise: "${turnText.trim().slice(0, 60)}"`);
             }
         }
         const resultMsg = { type: 'result' };
         this.addToHistory(session, resultMsg);
         this.broadcast(session, resultMsg);
-        // Notify result listeners (orchestrator, child monitor, etc.)
         for (const listener of this._resultListeners) {
             try {
                 listener(sessionId, isError);
             }
             catch { /* listener error */ }
         }
-        // If session is still unnamed after first response, name it now — we have full context
+        // If session is still unnamed after first response, name it now
         if (session.name.startsWith('hub:') && session._namingAttempts === 0) {
             if (session._namingTimer) {
                 clearTimeout(session._namingTimer);
@@ -835,7 +1023,7 @@ export class SessionManager {
     handleClaudeExit(session, sessionId, code, signal) {
         session.claudeProcess = null;
         session.isProcessing = false;
-        this.clearStallTimer(session);
+        session.planManager.reset();
         this._globalBroadcast?.({ type: 'sessions_updated' });
         const action = evaluateRestart({
             restartCount: session.restartCount,
@@ -916,8 +1104,11 @@ export class SessionManager {
         const session = this.sessions.get(sessionId);
         if (!session)
             return;
+        session._lastActivityAt = Date.now();
+        // Reset stopped-by-user flag so idle-reaped sessions can auto-start
+        session._stoppedByUser = false;
         if (!session.claudeProcess?.isAlive()) {
-            // Claude not running (e.g. after server restart) — auto-start first.
+            // Claude not running (e.g. after server restart or idle reap) — auto-start first.
             // Claude CLI in -p mode waits for first input before emitting init,
             // so we write directly to the stdin pipe buffer (no waiting for init).
             this.startClaude(sessionId);
@@ -930,6 +1121,7 @@ export class SessionManager {
                 if (context) {
                     const combined = context + '\n\n' + data;
                     session._lastUserInput = combined;
+                    session._lastUserInputAt = Date.now();
                     session._apiRetryCount = 0;
                     if (!session.isProcessing) {
                         session.isProcessing = true;
@@ -949,6 +1141,7 @@ export class SessionManager {
             this.retrySessionNamingOnInteraction(sessionId);
         }
         session._lastUserInput = data;
+        session._lastUserInputAt = Date.now();
         session._apiRetryCount = 0;
         if (!session.isProcessing) {
             session.isProcessing = true;
@@ -965,6 +1158,9 @@ export class SessionManager {
         const session = this.sessions.get(sessionId);
         if (!session)
             return;
+        session._lastActivityAt = Date.now();
+        // ExitPlanMode approvals are handled through the normal pendingToolApprovals
+        // path (routed via the PreToolUse hook). No special plan_review_ prefix needed.
         // Check for pending tool approval from PreToolUse hook
         if (!requestId) {
             const totalPending = session.pendingToolApprovals.size + session.pendingControlRequests.size;
@@ -1045,6 +1241,27 @@ export class SessionManager {
             this.broadcast(session, { type: 'prompt_dismiss', requestId: approval.requestId });
             return;
         }
+        // ExitPlanMode: route through PlanManager for state tracking.
+        // The hook will convert allow→deny-with-approval-message (CLI workaround).
+        if (approval.toolName === 'ExitPlanMode') {
+            const first = Array.isArray(value) ? value[0] : value;
+            const isDeny = first === 'deny';
+            if (isDeny) {
+                // Extract feedback text if present (value may be ['deny', 'feedback text'])
+                const feedback = Array.isArray(value) && value.length > 1 ? value[1] : undefined;
+                const reason = session.planManager.deny(approval.requestId, feedback);
+                console.log(`[plan-approval] denied: ${reason}`);
+                approval.resolve({ allow: false, always: false });
+            }
+            else {
+                session.planManager.approve(approval.requestId);
+                console.log(`[plan-approval] approved`);
+                approval.resolve({ allow: true, always: false });
+            }
+            session.pendingToolApprovals.delete(approval.requestId);
+            this.broadcast(session, { type: 'prompt_dismiss', requestId: approval.requestId });
+            return;
+        }
         const { isDeny, isAlwaysAllow, isApprovePattern } = this.decodeApprovalValue(value);
         if (isAlwaysAllow && !isDeny) {
             this._approvalManager.saveAlwaysAllow(session.groupDir ?? session.workingDir, approval.toolName, approval.toolInput);
@@ -1056,12 +1273,6 @@ export class SessionManager {
         approval.resolve({ allow: !isDeny, always: isAlwaysAllow || isApprovePattern });
         session.pendingToolApprovals.delete(approval.requestId);
         this.broadcast(session, { type: 'prompt_dismiss', requestId: approval.requestId });
-        // When ExitPlanMode is approved via the PreToolUse hook, immediately clear
-        // pending state and emit planning_mode:false. The control_request path may
-        // never arrive (or arrive as is_error=true), so this ensures plan mode exits.
-        if (approval.toolName === 'ExitPlanMode' && !isDeny) {
-            session.claudeProcess?.clearPendingExitPlanMode();
-        }
     }
     /**
      * Send an AskUserQuestion control response, mapping the user's answer(s) into
@@ -1132,6 +1343,11 @@ export class SessionManager {
             return Promise.resolve({ allow: true, always: false });
         }
         console.log(`[tool-approval] requesting approval: session=${sessionId} tool=${toolName} clients=${session.clients.size}`);
+        // ExitPlanMode: route through PlanManager state machine for plan-specific
+        // approval UI. The hook blocks until we resolve the promise.
+        if (toolName === 'ExitPlanMode') {
+            return this.handleExitPlanModeApproval(session, sessionId);
+        }
         // Prevent double-gating: if a control_request already created a pending
         // entry for this tool, auto-approve the control_request and let the hook
         // take over as the sole approval gate.  This is the reverse of the check
@@ -1167,7 +1383,7 @@ export class SessionManager {
                     this.broadcast(session, { type: 'prompt_dismiss', requestId: approvalRequestId });
                     resolve({ allow: false, always: false });
                 }
-            }, isQuestion || toolName === 'ExitPlanMode' ? 300_000 : (session.source === 'agent' ? 300_000 : 60_000)); // 5 min for questions, plan exit & agent children, 1 min for interactive
+            }, isQuestion ? 300_000 : (session.source === 'agent' ? 300_000 : 60_000)); // 5 min for questions & agent children, 1 min for interactive
             let promptMsg;
             if (isQuestion) {
                 // AskUserQuestion: extract structured questions from toolInput.questions
@@ -1242,6 +1458,66 @@ export class SessionManager {
             }
         });
     }
+    /**
+     * Handle ExitPlanMode approval through PlanManager.
+     * Shows a plan-specific approval prompt (Approve/Reject) and blocks the hook
+     * until the user responds. On approve, returns allow:true (the hook will use
+     * the deny-with-approval-message workaround). On deny, returns allow:false.
+     */
+    handleExitPlanModeApproval(session, sessionId) {
+        const reviewId = session.planManager.onExitPlanModeRequested();
+        if (!reviewId) {
+            // Not in planning state — fall through to allow (CLI handles natively)
+            console.log(`[plan-approval] ExitPlanMode but PlanManager not in planning state, allowing`);
+            return Promise.resolve({ allow: true, always: false });
+        }
+        return new Promise((resolve) => {
+            const timer = { id: null };
+            const wrappedResolve = (result) => {
+                if (timer.id)
+                    clearTimeout(timer.id);
+                resolve(result);
+            };
+            // Timeout: auto-deny after 5 minutes to prevent leaked promises
+            timer.id = setTimeout(() => {
+                if (session.pendingToolApprovals.has(reviewId)) {
+                    console.log(`[plan-approval] timed out, auto-denying`);
+                    session.pendingToolApprovals.delete(reviewId);
+                    session.planManager.deny(reviewId);
+                    this.broadcast(session, { type: 'prompt_dismiss', requestId: reviewId });
+                    resolve({ allow: false, always: false });
+                }
+            }, 300_000);
+            const promptMsg = {
+                type: 'prompt',
+                promptType: 'permission',
+                question: 'Approve plan and start implementation?',
+                options: [
+                    { label: 'Approve', value: 'allow' },
+                    { label: 'Reject', value: 'deny' },
+                ],
+                toolName: 'ExitPlanMode',
+                requestId: reviewId,
+            };
+            session.pendingToolApprovals.set(reviewId, {
+                resolve: wrappedResolve,
+                toolName: 'ExitPlanMode',
+                toolInput: {},
+                requestId: reviewId,
+                promptMsg,
+            });
+            this.broadcast(session, promptMsg);
+            if (session.clients.size === 0) {
+                this._globalBroadcast?.({ ...promptMsg, sessionId, sessionName: session.name });
+            }
+            for (const listener of this._promptListeners) {
+                try {
+                    listener(sessionId, 'permission', 'ExitPlanMode', reviewId);
+                }
+                catch { /* listener error */ }
+            }
+        });
+    }
     /**
      * Check if a tool invocation can be auto-approved without prompting the user.
      * Returns 'registry' if matched by auto-approval rules, 'session' if matched
@@ -1255,7 +1531,7 @@ export class SessionManager {
         if (session.allowedTools && this.matchesAllowedTools(session.allowedTools, toolName, toolInput)) {
             return 'session';
         }
-        if (session.clients.size === 0 && (session.source === 'webhook' || session.source === 'workflow' || session.source === 'stepflow')) {
+        if (session.clients.size === 0 && (session.source === 'webhook' || session.source === 'workflow' || session.source === 'stepflow' || session.source === 'orchestrator')) {
             return 'headless';
         }
         return 'prompt';
@@ -1301,8 +1577,6 @@ export class SessionManager {
                 const filePath = String(toolInput.file_path || '');
                 return `Allow Read? \`${filePath}\``;
             }
-            case 'ExitPlanMode':
-                return 'Approve plan and start implementation?';
             default:
                 return `Allow ${toolName}?`;
         }
@@ -1359,7 +1633,6 @@ export class SessionManager {
         const session = this.sessions.get(sessionId);
         if (session?.claudeProcess) {
             session._stoppedByUser = true;
-            this.clearStallTimer(session);
             if (session._apiRetryTimer)
                 clearTimeout(session._apiRetryTimer);
             session.claudeProcess.removeAllListeners();
@@ -1379,7 +1652,6 @@ export class SessionManager {
             return;
         const cp = session.claudeProcess;
         session._stoppedByUser = true;
-        this.clearStallTimer(session);
         if (session._apiRetryTimer)
             clearTimeout(session._apiRetryTimer);
         cp.removeAllListeners();
@@ -1396,6 +1668,32 @@ export class SessionManager {
     isRetryableApiError(text) {
         return API_RETRY_PATTERNS.some((pattern) => pattern.test(text));
     }
+    /** Extract the concatenated text output from the current turn (after the last 'result' in history). */
+    extractCurrentTurnText(session) {
+        let text = '';
+        for (let i = session.outputHistory.length - 1; i >= 0; i--) {
+            const msg = session.outputHistory[i];
+            if (msg.type === 'result')
+                break;
+            if (msg.type === 'output')
+                text = msg.data + text;
+        }
+        return text;
+    }
+    /** Remove output messages from the current turn in history (after the last 'result'). */
+    stripCurrentTurnOutput(session) {
+        let cutIndex = session.outputHistory.length;
+        for (let i = session.outputHistory.length - 1; i >= 0; i--) {
+            const msg = session.outputHistory[i];
+            if (msg.type === 'result')
+                break;
+            if (msg.type === 'output') {
+                cutIndex = i;
+            }
+        }
+        // Remove output entries from cutIndex onwards (keep non-output entries like tool events)
+        session.outputHistory = session.outputHistory.filter((msg, idx) => idx < cutIndex || msg.type !== 'output');
+    }
     /**
      * Build a condensed text summary of a session's conversation history.
      * Used as context when auto-starting Claude for sessions without a saved
@@ -1459,43 +1757,36 @@ export class SessionManager {
         }
         return `[This session was interrupted by a server restart. Here is the previous conversation for context:]\n${context}\n[End of previous context. The user's new message follows.]`;
     }
-    resetStallTimer(session) {
-        this.clearStallTimer(session);
-        session._stallTimer = setTimeout(() => {
-            session._stallTimer = null;
-            if (!session.claudeProcess?.isAlive())
-                return;
-            const msg = {
-                type: 'system_message',
-                subtype: 'stall',
-                text: 'No output for 5 minutes. The process may be stalled.',
-            };
-            this.addToHistory(session, msg);
-            this.broadcast(session, msg);
-        }, STALL_TIMEOUT_MS);
-    }
-    clearStallTimer(session) {
-        if (session._stallTimer) {
-            clearTimeout(session._stallTimer);
-            session._stallTimer = null;
-        }
-    }
+    /** Max size of a single output chunk in the history buffer. */
+    static MAX_OUTPUT_CHUNK = 50_000; // 50KB
     /**
      * Append a message to a session's output history for replay.
-     * Merges consecutive 'output' chunks into a single entry to save space.
+     * Merges consecutive 'output' chunks up to MAX_OUTPUT_CHUNK to save space,
+     * and splits oversized outputs into multiple entries to bound replay cost.
      */
     addToHistory(session, msg) {
         if (msg.type === 'output') {
             const last = session.outputHistory[session.outputHistory.length - 1];
-            if (last?.type === 'output' && last.data.length < 100_000) {
+            if (last?.type === 'output' && last.data.length < SessionManager.MAX_OUTPUT_CHUNK) {
                 last.data += msg.data;
                 this.persistToDiskDebounced();
                 return;
             }
+            // Split oversized output into bounded chunks
+            if (msg.data.length > SessionManager.MAX_OUTPUT_CHUNK) {
+                for (let i = 0; i < msg.data.length; i += SessionManager.MAX_OUTPUT_CHUNK) {
+                    session.outputHistory.push({ type: 'output', data: msg.data.slice(i, i + SessionManager.MAX_OUTPUT_CHUNK) });
+                }
+                if (session.outputHistory.length > MAX_HISTORY) {
+                    session.outputHistory.splice(0, session.outputHistory.length - MAX_HISTORY);
+                }
+                this.persistToDiskDebounced();
+                return;
+            }
         }
         session.outputHistory.push(msg);
         if (session.outputHistory.length > MAX_HISTORY) {
-            session.outputHistory = session.outputHistory.slice(-MAX_HISTORY);
+            session.outputHistory.splice(0, session.outputHistory.length - MAX_HISTORY);
         }
         this.persistToDiskDebounced();
     }
@@ -1549,6 +1840,10 @@ export class SessionManager {
     /** Graceful shutdown: complete in-progress tasks, persist state, kill all processes.
      *  Returns a promise that resolves once all Claude processes have exited. */
     shutdown() {
+        if (this._idleReaperInterval) {
+            clearInterval(this._idleReaperInterval);
+            this._idleReaperInterval = null;
+        }
         // Complete in-progress tasks for active sessions before persisting.
         // This handles self-deploy: the commit/push task was the last step, and
         // the server restart means it succeeded. Without this, restored sessions
@@ -1571,7 +1866,6 @@ export class SessionManager {
                     session.claudeProcess.stop();
                 }));
             }
-            this.clearStallTimer(session);
         }
         this.archive.shutdown();
         if (exitPromises.length === 0)