copillm 0.1.2 → 0.1.5

package/README.md

@@ -1,7 +1,7 @@
 # copillm
 
 [![PR gate](https://github.com/jcjc-dev/copillm/actions/workflows/pr-gate.yml/badge.svg?branch=main)](https://github.com/jcjc-dev/copillm/actions/workflows/pr-gate.yml)
-[![Release gate](https://github.com/jcjc-dev/copillm/actions/workflows/release-gate.yml/badge.svg?branch=main&event=schedule)](https://github.com/jcjc-dev/copillm/actions/workflows/release-gate.yml)
+[![Upstream e2e (nightly)](https://github.com/jcjc-dev/copillm/actions/workflows/upstream-e2e.yml/badge.svg?branch=main&event=schedule)](https://github.com/jcjc-dev/copillm/actions/workflows/upstream-e2e.yml)
 [![npm version](https://img.shields.io/npm/v/copillm.svg)](https://www.npmjs.com/package/copillm)
 [![Node.js version](https://img.shields.io/node/v/copillm.svg)](https://www.npmjs.com/package/copillm)
 

package/dist/agentconfig/load.js

@@ -3,7 +3,7 @@ import path from "node:path";
 import { parse as parseToml, TomlError } from "smol-toml";
 import { ZodError } from "zod";
 import { getCopillmHome } from "../config/home.js";
-import { AgentTomlSchema, UNSET_SENTINEL } from "./schema.js";
+import { AgentTomlSchema } from "./schema.js";
 export class AgentConfigError extends Error {
     constructor(message) {
         super(message);
@@ -97,16 +97,13 @@ function mergeAndResolve(input) {
     const instructions = instructionsBody !== null && instructionsBody.trim().length > 0
         ? { body: instructionsBody }
         : null;
-    // Merge mcp.servers map; later layers replace earlier same-named entries;
-    // `inherit = "@unset"` removes an inherited entry.
+    // Merge mcp.servers map; later layers replace earlier same-named entries.
+    // Defaults are always-on: a profile may override a default by name but
+    // cannot remove it.
     const servers = {};
     for (const layer of layers) {
         const layerServers = layer.mcp?.servers ?? {};
         for (const [name, value] of Object.entries(layerServers)) {
-            if ("inherit" in value && value.inherit === UNSET_SENTINEL) {
-                delete servers[name];
-                continue;
-            }
             servers[name] = expandEnv(value);
         }
     }

package/dist/agentconfig/render.js

@@ -1,33 +1,43 @@
-import path from "node:path";
 import fs from "node:fs";
-import { stringify as stringifyToml } from "smol-toml";
+import os from "node:os";
+import path from "node:path";
+import { parse as parseToml, stringify as stringifyToml, TomlError } from "smol-toml";
 import { AgentConfigError } from "./load.js";
+import { getCopillmHome } from "../config/home.js";
 import { HASH_COMMENT, HTML_COMMENT, upsertManagedBlock } from "./markerBlock.js";
 // ─── Codex ────────────────────────────────────────────────────────────────
 export function renderCodex(input) {
     const writes = [];
     const notes = [];
-    // 1. MCP block inside <CODEX_HOME>/config.toml. The file is generated by
-    //    src/codex/init.ts and ends with a blank line; we append the marker
-    //    section after it.
     const codexConfigPath = path.join(input.codexHomeDir, "config.toml");
-    const mcpToml = renderCodexMcpToml(input.resolved.mcpServers);
-    if (fs.existsSync(codexConfigPath)) {
-        const existing = fs.readFileSync(codexConfigPath, "utf8");
-        const next = upsertManagedBlock(existing, mcpToml, HASH_COMMENT);
-        if (next !== existing) {
-            writes.push({
-                path: codexConfigPath,
-                content: next,
-                mode: 0o600,
-                description: "Codex config.toml MCP block"
-            });
+    const existing = fs.existsSync(codexConfigPath) ? fs.readFileSync(codexConfigPath, "utf8") : "";
+    let next = existing;
+    if (input.codexBaseConfigSourcePath) {
+        if (fs.existsSync(input.codexBaseConfigSourcePath)) {
+            const source = fs.readFileSync(input.codexBaseConfigSourcePath, "utf8");
+            next = mergeCodexBaseConfig(next, source, codexConfigPath, input.codexBaseConfigSourcePath);
+        }
+        else {
+            notes.push(`Codex source config not found at ${input.codexBaseConfigSourcePath}; ` +
+                `run \`copillm start\` or \`copillm codex\` once first.`);
         }
     }
-    else {
+    const mcpToml = renderCodexMcpToml(input.resolved.mcpServers);
+    if (next.length === 0 && mcpToml.length > 0) {
         notes.push(`Codex config not found at ${codexConfigPath}; skipping MCP injection. ` +
             `Run \`copillm start\` first.`);
     }
+    else {
+        next = upsertManagedBlock(next, mcpToml, HASH_COMMENT);
+    }
+    if (next !== existing) {
+        writes.push({
+            path: codexConfigPath,
+            content: next,
+            mode: 0o600,
+            description: "Codex config.toml"
+        });
+    }
     // 2. AGENTS.md instruction block.
     if (input.resolved.instructions) {
         const agentsPath = path.join(input.codexHomeDir, "AGENTS.md");
@@ -44,6 +54,53 @@ export function renderCodex(input) {
     }
     return { writes, envOverlay: {}, cliArgs: [], notes };
 }
+function mergeCodexBaseConfig(targetRaw, sourceRaw, targetPath, sourcePath) {
+    const targetDoc = parseCodexToml(targetRaw, targetPath);
+    const sourceDoc = parseCodexToml(sourceRaw, sourcePath);
+    const providerId = getStringField(sourceDoc, "model_provider");
+    if (!providerId) {
+        throw new AgentConfigError(`Codex source config at ${sourcePath} is missing model_provider.`);
+    }
+    for (const key of ["model", "model_provider", "model_reasoning_effort", "approvals_reviewer"]) {
+        if (key in sourceDoc) {
+            targetDoc[key] = sourceDoc[key];
+        }
+    }
+    const sourceProviders = asRecord(sourceDoc.model_providers);
+    const selectedProvider = asRecord(sourceProviders?.[providerId]);
+    if (!selectedProvider) {
+        throw new AgentConfigError(`Codex source config at ${sourcePath} is missing [model_providers.${providerId}].`);
+    }
+    const targetProviders = asRecord(targetDoc.model_providers) ?? {};
+    targetProviders[providerId] = selectedProvider;
+    targetDoc.model_providers = targetProviders;
+    return `${stringifyToml(targetDoc).trimEnd()}\n`;
+}
+function parseCodexToml(raw, filePath) {
+    if (raw.trim().length === 0) {
+        return {};
+    }
+    try {
+        const parsed = parseToml(raw);
+        return asRecord(parsed) ?? {};
+    }
+    catch (error) {
+        if (error instanceof TomlError) {
+            throw new AgentConfigError(`Failed to parse ${filePath}: ${error.message}`);
+        }
+        throw error;
+    }
+}
+function asRecord(value) {
+    if (!value || typeof value !== "object" || Array.isArray(value)) {
+        return null;
+    }
+    return value;
+}
+function getStringField(doc, key) {
+    const value = doc[key];
+    return typeof value === "string" && value.length > 0 ? value : null;
+}
 function renderCodexMcpToml(servers) {
     if (Object.keys(servers).length === 0)
         return "";
@@ -79,93 +136,134 @@ const TOML_IDENT = /^[A-Za-z0-9_-]+$/;
 function isValidTomlIdent(name) {
     return TOML_IDENT.test(name);
 }
+// ─── Claude Code ──────────────────────────────────────────────────────────
+/**
+ * Launcher mode writes a copillm-owned MCP config and returns --mcp-config.
+ * Native sync mode writes the user-level Claude config that Claude reads
+ * without a copillm wrapper.
+ */
 export function renderClaude(input) {
     const writes = [];
     const notes = [];
-    // 1. .mcp.json (project scope) — preserve user entries.
-    const mcpJsonPath = path.join(input.cwd, ".mcp.json");
-    const claudeMcp = renderClaudeMcp(mcpJsonPath, input.resolved.mcpServers);
-    if (claudeMcp) {
-        writes.push({
-            path: mcpJsonPath,
-            content: claudeMcp,
-            mode: 0o600,
-            description: "Claude Code .mcp.json"
-        });
+    const cliArgs = [];
+    if (input.nativeSync) {
+        writes.push(...renderClaudeNativeWrites(input));
+        if (input.resolved.instructions) {
+            notes.push("Claude: instructions fan-out is unsupported (Claude has no out-of-tree " +
+                "instructions hook). Move guidance to ~/.claude/CLAUDE.md or your " +
+                "project's CLAUDE.md manually.");
+        }
+        return { writes, envOverlay: {}, cliArgs, notes };
     }
-    // 2. CLAUDE.md instruction block.
-    if (input.resolved.instructions) {
-        const claudeMdPath = path.join(input.cwd, "CLAUDE.md");
-        const existing = fs.existsSync(claudeMdPath) ? fs.readFileSync(claudeMdPath, "utf8") : "";
-        const next = upsertManagedBlock(existing, input.resolved.instructions.body, HTML_COMMENT);
-        if (next !== existing) {
+    const claudeDir = path.join(getCopillmHome(), "claude");
+    const mcpJsonPath = path.join(claudeDir, "mcp.json");
+    const serverCount = Object.keys(input.resolved.mcpServers).length;
+    if (serverCount > 0) {
+        const content = renderClaudeMcp(input.resolved.mcpServers);
+        const existing = fs.existsSync(mcpJsonPath) ? fs.readFileSync(mcpJsonPath, "utf8") : null;
+        if (existing !== content) {
             writes.push({
-                path: claudeMdPath,
-                content: next,
+                path: mcpJsonPath,
+                content,
                 mode: 0o600,
-                description: "CLAUDE.md instructions block"
+                description: "Claude Code mcp.json (copillm-managed)"
             });
         }
+        cliArgs.push("--mcp-config", mcpJsonPath);
     }
-    return { writes, envOverlay: {}, cliArgs: [], notes };
+    else if (fs.existsSync(mcpJsonPath)) {
+        // Profile no longer declares any servers — clear the stale file so we
+        // don't keep referencing dead config on the next launch.
+        fs.rmSync(mcpJsonPath, { force: true });
+        notes.push(`Removed stale ${mcpJsonPath} (no MCP servers in active profile).`);
+    }
+    if (input.resolved.instructions) {
+        notes.push("Claude: instructions fan-out is unsupported (Claude has no out-of-tree " +
+            "instructions hook). Move guidance to ~/.claude/CLAUDE.md or your " +
+            "project's CLAUDE.md manually.");
+    }
+    return { writes, envOverlay: {}, cliArgs, notes };
 }
-function renderClaudeMcp(mcpJsonPath, servers) {
-    let existing = {};
-    if (fs.existsSync(mcpJsonPath)) {
-        try {
-            existing = JSON.parse(fs.readFileSync(mcpJsonPath, "utf8"));
-            if (typeof existing !== "object" || existing === null) {
-                throw new Error("not an object");
+function renderClaudeNativeWrites(input) {
+    const writes = [];
+    const homeDir = userHomeDir();
+    const userConfigPath = path.join(homeDir, ".claude.json");
+    const settingsPath = path.join(homeDir, ".claude", "settings.json");
+    const manifestPath = path.join(getCopillmHome(), "claude", "native-mcp-manifest.json");
+    const serverNames = Object.keys(input.resolved.mcpServers);
+    const previousServerNames = readClaudeNativeManifest(manifestPath);
+    if (serverNames.length > 0 || previousServerNames.length > 0) {
+        const existing = readJsonObject(userConfigPath);
+        const mcpServers = asRecord(existing.mcpServers) ?? {};
+        for (const name of previousServerNames) {
+            if (!serverNames.includes(name)) {
+                delete mcpServers[name];
             }
         }
-        catch (error) {
-            throw new AgentConfigError(`Failed to parse ${mcpJsonPath}: ${error.message}. ` +
-                `Fix or remove the file and re-run.`);
+        for (const [name, server] of Object.entries(input.resolved.mcpServers)) {
+            mcpServers[name] = serverToClaudeShape(server);
         }
-    }
-    const managed = new Set(existing._copillmManaged ?? []);
-    const userOwned = new Set(Object.keys(existing.mcpServers ?? {}).filter((n) => !managed.has(n)));
-    // Detect conflicts: a copillm-managed name collides with a user-owned name.
-    const newNames = Object.keys(servers);
-    for (const name of newNames) {
-        if (userOwned.has(name)) {
-            throw new AgentConfigError(`MCP server name "${name}" already exists in ${mcpJsonPath} and is owned by the user ` +
-                `(not previously managed by copillm). Rename one side, or move the user's entry ` +
-                `into agent.toml so copillm can manage it.`);
+        if (Object.keys(mcpServers).length > 0) {
+            existing.mcpServers = mcpServers;
         }
+        else {
+            delete existing.mcpServers;
+        }
+        writes.push({
+            path: userConfigPath,
+            content: `${JSON.stringify(existing, null, 2)}\n`,
+            mode: 0o600,
+            description: "Claude Code user MCP config"
+        });
+        writes.push({
+            path: manifestPath,
+            content: `${JSON.stringify({ servers: serverNames }, null, 2)}\n`,
+            mode: 0o600,
+            description: "Claude Code native MCP manifest"
+        });
     }
-    // Strip previously-managed entries from the user's file before adding ours.
-    const nextServers = {};
-    for (const [name, value] of Object.entries(existing.mcpServers ?? {})) {
-        if (!managed.has(name))
-            nextServers[name] = value;
-    }
-    for (const [name, server] of Object.entries(servers)) {
-        nextServers[name] = serverToClaudeShape(server);
-    }
-    const nextFile = { ...existing };
-    if (Object.keys(nextServers).length > 0) {
-        nextFile.mcpServers = nextServers;
+    if (input.env && Object.keys(input.env).length > 0) {
+        const settings = readJsonObject(settingsPath);
+        const env = asRecord(settings.env) ?? {};
+        settings.env = { ...env, ...input.env };
+        writes.push({
+            path: settingsPath,
+            content: `${JSON.stringify(settings, null, 2)}\n`,
+            mode: 0o600,
+            description: "Claude Code settings.json env block"
+        });
     }
-    else {
-        delete nextFile.mcpServers;
+    return writes;
+}
+function userHomeDir() {
+    return process.env.HOME ?? os.homedir();
+}
+function readClaudeNativeManifest(filePath) {
+    const doc = readJsonObject(filePath);
+    const servers = doc.servers;
+    if (!Array.isArray(servers)) {
+        return [];
     }
-    if (newNames.length > 0) {
-        nextFile._copillmManaged = newNames;
+    return servers.filter((server) => typeof server === "string");
+}
+function readJsonObject(filePath) {
+    if (!fs.existsSync(filePath)) {
+        return {};
     }
-    else {
-        delete nextFile._copillmManaged;
+    try {
+        const parsed = JSON.parse(fs.readFileSync(filePath, "utf8"));
+        return asRecord(parsed) ?? {};
     }
-    const serialized = `${JSON.stringify(nextFile, null, 2)}\n`;
-    // Avoid pointless writes when state is unchanged.
-    if (fs.existsSync(mcpJsonPath) && fs.readFileSync(mcpJsonPath, "utf8") === serialized) {
-        return null;
+    catch (error) {
+        throw new AgentConfigError(`Failed to parse ${filePath}: ${error instanceof Error ? error.message : String(error)}`);
     }
-    // If we'd produce an empty file (no servers, no other keys), skip writing.
-    if (Object.keys(nextFile).length === 0 && !fs.existsSync(mcpJsonPath)) {
-        return null;
+}
+function renderClaudeMcp(servers) {
+    const out = {};
+    for (const [name, server] of Object.entries(servers)) {
+        out[name] = serverToClaudeShape(server);
     }
-    return serialized;
+    return `${JSON.stringify({ mcpServers: out }, null, 2)}\n`;
 }
 function serverToClaudeShape(server) {
     if (server.transport === "stdio") {
@@ -305,10 +403,18 @@ export function planRender(opts, load) {
             if (!opts.codexHomeDir) {
                 throw new AgentConfigError("renderCodex requires codexHomeDir");
             }
-            return renderCodex({ ...baseInput, codexHomeDir: opts.codexHomeDir });
+            return renderCodex({
+                ...baseInput,
+                codexHomeDir: opts.codexHomeDir,
+                codexBaseConfigSourcePath: opts.codexBaseConfigSourcePath
+            });
         }
         case "claude":
-            return renderClaude(baseInput);
+            return renderClaude({
+                ...baseInput,
+                nativeSync: opts.claudeNativeSync,
+                env: opts.claudeEnv
+            });
         case "pi":
             return renderPi(baseInput);
         case "copilot":

package/dist/agentconfig/schema.js

@@ -3,12 +3,15 @@ import { z } from "zod";
  * Schema for `~/.copillm/agent.toml` (global) and `<cwd>/.copillm/agent.toml`
  * (project overlay). See plans/unified-booping-mango.md for design rationale.
  *
- * Sections under `[defaults.*]` apply to every profile; profiles override by
- * deep-merge. v1 only wires `instructions` and `mcp` into fan-out — the other
+ * Sections under `[defaults.*]` always apply, regardless of which profile is
+ * active. A profile may override a default by re-declaring an entry with the
+ * same key (e.g. `[profiles.work.mcp.servers.<name>]` replaces the same-named
+ * `[defaults.mcp.servers.<name>]`). There is no way to *remove* a default from
+ * a profile — defaults are intentionally always-on. v1 only wires
+ * `instructions` and `mcp` into fan-out — the other
  * sections (`skills`, `agents`, `hooks`, `permissions`) are reserved-but-
  * permissive so users can start populating them without future TOML breaking.
  */
-export const UNSET_SENTINEL = "@unset";
 const StringRecord = z.record(z.string());
 const McpStdioSchema = z
     .object({
@@ -28,12 +31,7 @@ const McpHttpSchema = z
     scope: z.enum(["project", "user"]).optional()
 })
     .strict();
-const McpInheritUnset = z
-    .object({
-    inherit: z.literal(UNSET_SENTINEL)
-})
-    .strict();
-export const McpServerSchema = z.union([McpStdioSchema, McpHttpSchema, McpInheritUnset]);
+export const McpServerSchema = z.union([McpStdioSchema, McpHttpSchema]);
 const InstructionsSchema = z
     .object({
     body: z.string()

package/dist/cli/configCommands.js

@@ -1,10 +1,13 @@
 import fs from "node:fs";
+import os from "node:os";
 import path from "node:path";
 import { parse as parseToml, stringify as stringifyToml } from "smol-toml";
 import { getCopillmHome } from "../config/home.js";
 import { ensureSecureDirectory, writeFileSecureAtomic } from "../config/fsSecurity.js";
+import { loadConfig } from "../config/config.js";
 import { AgentConfigError, loadAgentConfig } from "../agentconfig/load.js";
 import { applyAgentConfig, formatApplyNotes } from "../agentconfig/apply.js";
+import { buildClaudeEnvBundle } from "./agentEnv.js";
 const SCAFFOLD_TOML = `# copillm agent config — one source of truth for instructions and MCP servers
 # fanned out to each coding agent on \`copillm <agent>\` launch.
 # See: https://github.com/jcjc-dev/copillm (plans/unified-booping-mango.md)
@@ -112,7 +115,7 @@ export function registerConfigCommands(program) {
     });
     config
         .command("sync")
-        .description("Run fan-out without launching an agent (debug aid)")
+        .description("Sync resolved config to the agent's native paths without launching")
         .requiredOption("--agent <kind>", "codex | claude | pi | copilot")
         .option("--profile <name>", "Override active profile for this run")
         .action((opts) => {
@@ -122,11 +125,21 @@ export function registerConfigCommands(program) {
             process.exit(1);
         }
         try {
+            const claudeEnv = agent === "claude"
+                ? buildClaudeEnvBundle({
+                    port: loadConfig().preferredPort,
+                    callerSecret: null,
+                    enableGatewayDiscovery: true
+                }).env
+                : undefined;
             const result = applyAgentConfig({
                 agent,
                 cwd: process.cwd(),
                 profileOverride: opts.profile ?? null,
-                codexHomeDir: agent === "codex" ? path.join(getCopillmHome(), "codex") : undefined
+                codexHomeDir: agent === "codex" ? path.join(os.homedir(), ".codex") : undefined,
+                codexBaseConfigSourcePath: agent === "codex" ? path.join(getCopillmHome(), "codex", "config.toml") : undefined,
+                claudeNativeSync: agent === "claude",
+                claudeEnv
             });
             for (const line of formatApplyNotes(result, agent)) {
                 process.stdout.write(`${line}\n`);

package/dist/cli/launchAgent.js

@@ -52,6 +52,14 @@ function installHint(agent) {
             "    npm i -g @earendil-works/pi-coding-agent"
         ].join("\n");
     }
+    if (agent === "copilot") {
+        return [
+            "Hint: install GitHub Copilot CLI manually with one of:",
+            "    brew install --cask github-copilot-cli",
+            "    npm i -g @github/copilot",
+            "    https://github.com/github/copilot-cli"
+        ].join("\n");
+    }
     return [
         "Hint: install Claude Code manually with:",
         "    npm i -g @anthropic-ai/claude-code"

package/dist/cli/processSafetyNet.js

@@ -0,0 +1,52 @@
+import { isBenignSocketError } from "../server/requestLifecycle.js";
+/**
+ * Install a process-level safety net for the daemon. When an unexpected
+ * `uncaughtException` or `unhandledRejection` escapes the per-request error
+ * handling, we log it loudly and keep the process alive. A daemon dying on
+ * a per-request bug is strictly worse than continuing to serve the next
+ * request: clients (Codex, Claude Code, pi) lose ALL in-flight streams when
+ * the process exits, and the user has to manually `copillm start` again.
+ *
+ * Benign socket errors (ECONNRESET / EPIPE / ERR_STREAM_DESTROYED / aborted
+ * fetches) are downgraded to debug — they're a normal part of SSE life and
+ * would otherwise spam the logs.
+ *
+ * Returns a disposer that uninstalls the handlers (used by tests).
+ */
+export function installProcessSafetyNet(logger) {
+    const onUncaught = (error) => {
+        if (isBenignSocketError(error)) {
+            logger.debug({ event: "process_safety_net", kind: "uncaught_exception", err: toErrLike(error) }, "swallowed benign socket error at process level");
+            return;
+        }
+        logger.error({ event: "process_safety_net", kind: "uncaught_exception", err: toErrLike(error) }, "uncaught exception in daemon — keeping process alive");
+    };
+    const onUnhandled = (reason) => {
+        if (isBenignSocketError(reason)) {
+            logger.debug({ event: "process_safety_net", kind: "unhandled_rejection", err: toErrLike(reason) }, "swallowed benign socket rejection at process level");
+            return;
+        }
+        logger.error({ event: "process_safety_net", kind: "unhandled_rejection", err: toErrLike(reason) }, "unhandled promise rejection in daemon — keeping process alive");
+    };
+    process.on("uncaughtException", onUncaught);
+    process.on("unhandledRejection", onUnhandled);
+    return () => {
+        process.off("uncaughtException", onUncaught);
+        process.off("unhandledRejection", onUnhandled);
+    };
+}
+function toErrLike(value) {
+    if (value instanceof Error) {
+        const out = {
+            type: value.name,
+            message: value.message
+        };
+        if (value.stack)
+            out.stack = value.stack;
+        const code = value.code;
+        if (typeof code === "string")
+            out.code = code;
+        return out;
+    }
+    return { type: typeof value, message: String(value) };
+}

package/dist/cli/resolveAgent.js

@@ -6,12 +6,14 @@ import { getCopillmHome } from "../config/home.js";
 const NPM_PACKAGES = {
     codex: "@openai/codex",
     claude: "@anthropic-ai/claude-code",
-    pi: "@earendil-works/pi-coding-agent"
+    pi: "@earendil-works/pi-coding-agent",
+    copilot: "@github/copilot"
 };
 const BIN_NAMES = {
     codex: "codex",
     claude: "claude",
-    pi: "pi"
+    pi: "pi",
+    copilot: "copilot"
 };
 export function packageNameFor(agent) {
     return NPM_PACKAGES[agent];

package/dist/cli.js

@@ -25,6 +25,7 @@ import { buildClaudeEnvBundle, buildCodexEnvBundle, buildPiEnvBundle } from "./c
 import { launchAgent } from "./cli/launchAgent.js";
 import { applyAgentConfig, formatApplyNotes } from "./agentconfig/apply.js";
 import { registerConfigCommands } from "./cli/configCommands.js";
+import { installProcessSafetyNet } from "./cli/processSafetyNet.js";
 const logger = createLogger();
 const program = new Command();
 program.name("copillm").description("Local Copilot proxy").version("0.1.0");
@@ -754,6 +755,49 @@ program
     });
     process.exit(exitCode);
 });
+program
+    .command("copilot")
+    .description("Launch GitHub Copilot CLI reusing copillm's stored GitHub token (no second device flow)")
+    .option("--copillm-use <spec>", "Pin copilot package version (e.g. 1.0.52 or @github/copilot@1.0.52)")
+    .option("--copillm-profile <name>", "Override active profile from ~/.copillm/agent.toml for this launch")
+    .option("--copillm-no-config", "Skip agent.toml fan-out for this launch", false)
+    .allowUnknownOption(true)
+    .passThroughOptions()
+    .helpOption(false)
+    .argument("[args...]", "Args forwarded to copilot")
+    .action(async (forwardedArgs, opts) => {
+    const credential = await loadStoredCredential();
+    if (!credential) {
+        process.stderr.write("copillm: no stored GitHub credential — run `copillm auth login` first.\n");
+        process.exit(1);
+        return;
+    }
+    const pinnedSpec = opts.copillmUse ?? process.env.COPILLM_COPILOT_VERSION ?? undefined;
+    const applyResult = applyAgentConfig({
+        agent: "copilot",
+        cwd: process.cwd(),
+        profileOverride: opts.copillmProfile ?? process.env.COPILLM_PROFILE ?? null,
+        skip: Boolean(opts.copillmNoConfig)
+    });
+    for (const line of formatApplyNotes(applyResult, "copilot")) {
+        process.stderr.write(`${line}\n`);
+    }
+    // Inject the stored GitHub OAuth token into the child env only — never
+    // export to the parent shell and never persist. Copilot CLI honours
+    // COPILOT_GITHUB_TOKEN ahead of its own stored credentials, so this
+    // short-circuits its device-flow login when copillm already has a token.
+    const env = {
+        ...applyResult.envOverlay,
+        COPILOT_GITHUB_TOKEN: credential.token
+    };
+    const exitCode = await launchAgent({
+        agent: "copilot",
+        args: [...(forwardedArgs ?? []), ...applyResult.cliArgs],
+        env,
+        pinnedSpec
+    });
+    process.exit(exitCode);
+});
 registerConfigCommands(program);
 program.parseAsync(process.argv).catch((error) => {
     if (error instanceof Error) {
@@ -814,6 +858,7 @@ async function runDaemon(options) {
         tokenManager.clear();
         throw new Error(`No available port in configured range (${ports[0]}-${ports[ports.length - 1]}).`);
     }
+    installProcessSafetyNet(logger);
     let shuttingDown = false;
     const shutdown = async () => {
         if (shuttingDown) {

package/dist/server/proxy.js

@@ -10,6 +10,7 @@ import { translateOpenAIStreamToAnthropic, writeAnthropicPrelude } from "../tran
 import { buildCodexCatalog } from "./codexSchema.js";
 import { getGithubUserSummary, GithubUserFetchError } from "./debugInfo.js";
 import { buildAnthropicModelsResponse } from "./anthropicModelsResponse.js";
+import { attachRequestLifecycle, isBenignSocketError, safeEnd, safeSendJson, safeWrite } from "./requestLifecycle.js";
 const COPILOT_HEADERS = {
     "Content-Type": "application/json",
     "Copilot-Integration-Id": "vscode-chat",
@@ -49,6 +50,7 @@ export async function startProxyServer(input) {
         const requestId = randomUUID();
         const startedAt = Date.now();
         const pathname = safePathname(req.url);
+        const lifecycle = attachRequestLifecycle(req, res, input.logger, requestId);
         res.on("finish", () => {
             input.logger.info({
                 event: "http_request",
@@ -199,11 +201,17 @@ export async function startProxyServer(input) {
                     body: upstreamBody,
                     requestId,
                     logger: input.logger,
-                    upstreamPath
+                    upstreamPath,
+                    signal: lifecycle.signal
                 });
                 await forwardResponse(upstream, route.anthroShape, res, requestedModel ?? undefined, prelude);
             }
             catch (error) {
+                if (isBenignSocketError(error)) {
+                    input.logger.debug({ event: "upstream_aborted", request_id: requestId, err: error }, "upstream request aborted (client disconnected)");
+                    safeEnd(res);
+                    return;
+                }
                 if (error instanceof CopilotTokenManagerError) {
                     if (prelude) {
                         writeAnthropicSseError(res, prelude, "token_refresh_failed");
@@ -232,8 +240,31 @@ export async function startProxyServer(input) {
                 sendJson(res, 400, { error: error.code, detail: error.message });
                 return;
             }
-            input.logger.error({ err: error }, "request failed");
+            if (isBenignSocketError(error)) {
+                input.logger.debug({ event: "request_client_gone", request_id: requestId, err: error }, "request handler aborted because client disconnected");
+                safeEnd(res);
+                return;
+            }
+            input.logger.error({ err: error, request_id: requestId }, "request failed");
             sendJson(res, 500, { error: "internal_error" });
+            safeEnd(res);
+        }
+    });
+    server.on("clientError", (err, socket) => {
+        input.logger.debug({ event: "client_error", code: err?.code }, "malformed HTTP from client");
+        if (socket.writable) {
+            try {
+                socket.end("HTTP/1.1 400 Bad Request\r\nConnection: close\r\n\r\n");
+            }
+            catch {
+                // Socket likely already gone — nothing to do.
+            }
+        }
+        try {
+            socket.destroy();
+        }
+        catch {
+            // best effort
         }
     });
     await new Promise((resolve, reject) => {
@@ -256,8 +287,11 @@ async function postToCopilot(input) {
     let forceRefresh = false;
     let authRefreshRetried = false;
     for (let attempt = 1; attempt <= MAX_UPSTREAM_ATTEMPTS; attempt += 1) {
+        if (input.signal?.aborted) {
+            throw abortErrorFromSignal(input.signal);
+        }
         try {
-            const response = await postWithCurrentBearer(input.tokenManager, input.accountType, input.body, forceRefresh, input.requestId, input.upstreamPath);
+            const response = await postWithCurrentBearer(input.tokenManager, input.accountType, input.body, forceRefresh, input.requestId, input.upstreamPath, input.signal);
             forceRefresh = false;
             if (response.status === 401 && !authRefreshRetried && attempt < MAX_UPSTREAM_ATTEMPTS) {
                 authRefreshRetried = true;
@@ -275,6 +309,10 @@ async function postToCopilot(input) {
             return response;
         }
         catch (error) {
+            if (isBenignSocketError(error)) {
+                // Client disconnected — propagate so the request handler can clean up.
+                throw error;
+            }
             if (!isRetryableTransportError(error) || attempt >= MAX_UPSTREAM_ATTEMPTS) {
                 throw error;
             }
@@ -284,7 +322,7 @@ async function postToCopilot(input) {
     }
     throw new Error("Upstream retry budget exhausted unexpectedly.");
 }
-async function postWithCurrentBearer(tokenManager, accountType, body, forceRefresh, requestId, upstreamPath) {
+async function postWithCurrentBearer(tokenManager, accountType, body, forceRefresh, requestId, upstreamPath, signal) {
     const bearer = await tokenManager.ensureToken({ forceRefresh });
     return fetch(`${accountBaseUrl(accountType)}${upstreamPath}`, {
         method: "POST",
@@ -293,9 +331,19 @@ async function postWithCurrentBearer(tokenManager, accountType, body, forceRefre
             Authorization: `Bearer ${bearer}`,
             "X-Request-Id": requestId
         },
-        body: JSON.stringify(body)
+        body: JSON.stringify(body),
+        signal
     });
 }
+function abortErrorFromSignal(signal) {
+    const reason = signal.reason;
+    if (reason instanceof Error) {
+        return reason;
+    }
+    const err = new Error("Request aborted by client");
+    err.name = "AbortError";
+    return err;
+}
 async function forwardResponse(upstream, anthroShape, res, requestedModel, prelude) {
     if (!upstream.ok) {
         await discardUpstreamBody(upstream);
@@ -386,7 +434,17 @@ async function pipeEventStream(upstream, res) {
     if (res.socket && typeof res.socket.setNoDelay === "function") {
         res.socket.setNoDelay(true);
     }
-    await pipeline(Readable.fromWeb(upstream.body), res);
+    try {
+        await pipeline(Readable.fromWeb(upstream.body), res);
+    }
+    catch (error) {
+        if (isBenignSocketError(error)) {
+            // Client went away mid-stream — normal for SSE consumers (Codex,
+            // Claude Code, pi) that cancel pending responses on user input.
+            return;
+        }
+        throw error;
+    }
 }
 function isEventStream(upstream) {
     const contentType = upstream.headers.get("content-type");
@@ -415,16 +473,16 @@ function beginAnthropicSseResponse(res, req) {
 export function writeAnthropicSseError(res, prelude, code) {
     void prelude;
     try {
-        res.write(`event: message_delta\ndata: ${JSON.stringify({
+        safeWrite(res, `event: message_delta\ndata: ${JSON.stringify({
             type: "message_delta",
             delta: { stop_reason: "end_turn", stop_sequence: null },
             usage: { input_tokens: 0, output_tokens: 0, cache_read_input_tokens: 0 }
         })}\n\n`);
-        res.write(`event: error\ndata: ${JSON.stringify({ type: "error", error: { type: "api_error", message: code } })}\n\n`);
-        res.write(`event: message_stop\ndata: ${JSON.stringify({ type: "message_stop" })}\n\n`);
+        safeWrite(res, `event: error\ndata: ${JSON.stringify({ type: "error", error: { type: "api_error", message: code } })}\n\n`);
+        safeWrite(res, `event: message_stop\ndata: ${JSON.stringify({ type: "message_stop" })}\n\n`);
     }
     finally {
-        res.end();
+        safeEnd(res);
     }
 }
 function isLocalRequest(req) {
@@ -455,9 +513,7 @@ async function readJson(req) {
     }
 }
 function sendJson(res, status, payload) {
-    res.statusCode = status;
-    res.setHeader("Content-Type", "application/json");
-    res.end(JSON.stringify(payload));
+    safeSendJson(res, status, payload);
 }
 function readRequestedModel(payload) {
     if (!payload || typeof payload !== "object") {

package/dist/server/requestLifecycle.js

@@ -0,0 +1,115 @@
+// Node error codes we treat as "client went away, this is normal" — they
+// must never crash the daemon and must not be reported as errors. SSE clients
+// (Codex, Claude Code, pi) abort streams constantly: user types another
+// prompt, hits Esc, switches turns, etc.
+const BENIGN_SOCKET_ERROR_CODES = new Set([
+    "ECONNRESET",
+    "EPIPE",
+    "ERR_STREAM_PREMATURE_CLOSE",
+    "ERR_STREAM_DESTROYED",
+    "ERR_STREAM_WRITE_AFTER_END",
+    "ERR_HTTP_HEADERS_SENT"
+]);
+export function isBenignSocketError(error) {
+    if (!error || typeof error !== "object") {
+        return false;
+    }
+    const err = error;
+    if (typeof err.code === "string" && BENIGN_SOCKET_ERROR_CODES.has(err.code)) {
+        return true;
+    }
+    if (err.name === "AbortError") {
+        return true;
+    }
+    if (err.cause && isBenignSocketError(err.cause)) {
+        return true;
+    }
+    return false;
+}
+export function attachRequestLifecycle(req, res, logger, requestId) {
+    const controller = new AbortController();
+    let alive = true;
+    const markGone = (source, err) => {
+        if (!alive) {
+            return;
+        }
+        alive = false;
+        if (err && !isBenignSocketError(err)) {
+            logger.debug({ event: "request_lifecycle_error", request_id: requestId, source, err }, "request stream errored");
+        }
+        else if (source !== "close" || err) {
+            logger.debug({ event: "request_lifecycle_closed", request_id: requestId, source }, "client disconnected");
+        }
+        if (!controller.signal.aborted) {
+            controller.abort();
+        }
+    };
+    res.on("close", () => markGone("close"));
+    res.on("error", (err) => markGone("error", err));
+    req.on("aborted", () => markGone("aborted"));
+    req.on("error", (err) => markGone("error", err));
+    return {
+        signal: controller.signal,
+        isAlive: () => alive && res.writable && !res.writableEnded
+    };
+}
+/**
+ * Writes a JSON response, but is a no-op when the response is already
+ * committed or the socket is gone. This is the safe replacement for
+ * `res.setHeader(...) + res.end(...)` in any path that might run after a
+ * streaming response has started flushing.
+ */
+export function safeSendJson(res, status, payload) {
+    if (res.headersSent || !res.writable || res.writableEnded) {
+        return;
+    }
+    try {
+        res.statusCode = status;
+        res.setHeader("Content-Type", "application/json");
+        res.end(JSON.stringify(payload));
+    }
+    catch (error) {
+        if (isBenignSocketError(error)) {
+            return;
+        }
+        throw error;
+    }
+}
+/**
+ * Best-effort write to a downstream Writable. Returns false when the chunk
+ * could not be delivered (because the stream is destroyed or the write
+ * threw a benign socket error). Non-benign errors are re-thrown so they're
+ * still visible to the caller.
+ */
+export function safeWrite(downstream, chunk) {
+    if (!downstream.writable || downstream.writableEnded || downstream.destroyed) {
+        return false;
+    }
+    try {
+        return downstream.write(chunk);
+    }
+    catch (error) {
+        if (isBenignSocketError(error)) {
+            return false;
+        }
+        throw error;
+    }
+}
+/**
+ * Best-effort end of a downstream Writable. Swallows benign socket errors;
+ * never throws on a destroyed stream.
+ */
+export function safeEnd(downstream) {
+    if (downstream.writableEnded || downstream.destroyed) {
+        return;
+    }
+    try {
+        downstream.end();
+    }
+    catch (error) {
+        if (isBenignSocketError(error)) {
+            return;
+        }
+        throw error;
+    }
+}

package/dist/translation/streamingOpenAIToAnthropic.js

@@ -1,4 +1,5 @@
 import { randomUUID } from "node:crypto";
+import { isBenignSocketError } from "../server/requestLifecycle.js";
 const PING_INTERVAL_MS = 1000;
 export async function translateOpenAIStreamToAnthropic(options) {
     const { upstream, downstream } = options;
@@ -16,11 +17,37 @@ export async function translateOpenAIStreamToAnthropic(options) {
     let nextAnthropicIndex = 0;
     let streamErrored = false;
     let pingTimer = null;
+    let downstreamGone = false;
+    function isDownstreamAlive() {
+        if (downstreamGone)
+            return false;
+        return downstream.writable && !downstream.writableEnded && !downstream.destroyed;
+    }
+    function markDownstreamGone() {
+        if (downstreamGone)
+            return;
+        downstreamGone = true;
+        stopPings();
+        // Best-effort: also stop reading upstream so we don't pull a megabyte
+        // of SSE we'll never deliver.
+        try {
+            upstream.destroy();
+        }
+        catch {
+            // ignore
+        }
+    }
+    downstream.on("close", markDownstreamGone);
+    downstream.on("error", markDownstreamGone);
     function startPings() {
         if (pingTimer !== null) {
             return;
         }
         pingTimer = setInterval(() => {
+            if (!isDownstreamAlive()) {
+                stopPings();
+                return;
+            }
             writeEvent("ping", { type: "ping" });
         }, PING_INTERVAL_MS);
         if (typeof pingTimer.unref === "function") {
@@ -34,7 +61,20 @@ export async function translateOpenAIStreamToAnthropic(options) {
         }
     }
     function writeEvent(eventName, data) {
-        downstream.write(`event: ${eventName}\ndata: ${JSON.stringify(data)}\n\n`);
+        if (!isDownstreamAlive()) {
+            markDownstreamGone();
+            return;
+        }
+        try {
+            downstream.write(`event: ${eventName}\ndata: ${JSON.stringify(data)}\n\n`);
+        }
+        catch (error) {
+            if (isBenignSocketError(error)) {
+                markDownstreamGone();
+                return;
+            }
+            throw error;
+        }
     }
     function emitMessageStart() {
         if (messageStarted) {
@@ -198,6 +238,10 @@ export async function translateOpenAIStreamToAnthropic(options) {
     startPings();
     try {
         for await (const chunk of upstream) {
+            if (!isDownstreamAlive()) {
+                markDownstreamGone();
+                return;
+            }
             const text = typeof chunk === "string" ? chunk : Buffer.isBuffer(chunk) ? chunk.toString("utf8") : String(chunk);
             buffer += text;
             let newlineIndex;
@@ -213,8 +257,15 @@ export async function translateOpenAIStreamToAnthropic(options) {
         }
     }
     catch (error) {
-        streamErrored = true;
         stopPings();
+        if (!isDownstreamAlive() || isBenignSocketError(error)) {
+            // Either we destroyed the upstream because downstream went away, or
+            // the upstream rejected with a benign socket error. Either way, no
+            // recovery write is possible — just stop.
+            markDownstreamGone();
+            return;
+        }
+        streamErrored = true;
         emitMessageStart();
         closeAllBlocks();
         writeEvent("message_delta", {
@@ -227,13 +278,16 @@ export async function translateOpenAIStreamToAnthropic(options) {
             error: { type: "api_error", message: error instanceof Error ? error.message : "upstream stream error" }
         });
         writeEvent("message_stop", { type: "message_stop" });
-        downstream.end();
+        safeEndDownstream();
         return;
     }
     if (streamErrored) {
         return;
     }
     stopPings();
+    if (!isDownstreamAlive()) {
+        return;
+    }
     emitMessageStart();
     closeAllBlocks();
     writeEvent("message_delta", {
@@ -242,7 +296,18 @@ export async function translateOpenAIStreamToAnthropic(options) {
         usage: { input_tokens: inputTokens, output_tokens: outputTokens, cache_read_input_tokens: cacheReadTokens }
     });
     writeEvent("message_stop", { type: "message_stop" });
-    downstream.end();
+    safeEndDownstream();
+    function safeEndDownstream() {
+        if (downstream.writableEnded || downstream.destroyed)
+            return;
+        try {
+            downstream.end();
+        }
+        catch (error) {
+            if (!isBenignSocketError(error))
+                throw error;
+        }
+    }
 }
 /**
  * Write the Anthropic `message_start` event (and an initial ping) to the
@@ -269,8 +334,14 @@ export function writeAnthropicPrelude(downstream, model) {
             usage: { input_tokens: 0, cache_read_input_tokens: 0, output_tokens: 0 }
         }
     };
-    downstream.write(`event: message_start\ndata: ${JSON.stringify(messageStart)}\n\n`);
-    downstream.write(`event: ping\ndata: ${JSON.stringify({ type: "ping" })}\n\n`);
+    try {
+        downstream.write(`event: message_start\ndata: ${JSON.stringify(messageStart)}\n\n`);
+        downstream.write(`event: ping\ndata: ${JSON.stringify({ type: "ping" })}\n\n`);
+    }
+    catch (error) {
+        if (!isBenignSocketError(error))
+            throw error;
+    }
     return { messageId };
 }
 function mapFinishReason(reason) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "copillm",
-  "version": "0.1.2",
+  "version": "0.1.5",
   "description": "Local Copilot proxy CLI (OpenAI/Anthropic-compatible)",
   "license": "MIT",
   "type": "module",