github-router 0.3.28 → 0.3.29

package/dist/lifecycle-BrNqqJZH.js

@@ -0,0 +1,878 @@
+import consola from "consola";
+import { randomBytes, randomUUID } from "node:crypto";
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import process$1 from "node:process";
+import { execFileSync } from "node:child_process";
+
+//#region src/lib/paths.ts
+function appDir() {
+	return path.join(os.homedir(), ".local", "share", "github-router");
+}
+const PATHS = {
+	get APP_DIR() {
+		return appDir();
+	},
+	get GITHUB_TOKEN_PATH() {
+		return path.join(appDir(), "github_token");
+	},
+	get ERROR_LOG_PATH() {
+		return path.join(appDir(), "error.log");
+	},
+	get CODEX_HOME() {
+		return path.join(appDir(), "codex-isolated");
+	},
+	get CLAUDE_RUNTIME_DIR() {
+		return path.join(appDir(), "runtime");
+	},
+	get CLAUDE_CONFIG_DIR() {
+		return path.join(appDir(), "claude-config", claudeConfigDirSuffix());
+	}
+};
+/**
+* Per-launch suffix for `PATHS.CLAUDE_CONFIG_DIR`. Lazily generated on
+* first access and cached for the lifetime of the process so every
+* caller (env-var injection in `getClaudeCodeEnvVars`,
+* `ensureClaudeConfigMirror` provisioning, peer-agent `.md` writes
+* under `<dir>/agents/`, the shutdown cleanup) resolves the same path.
+*
+* Shape: `<pid>-<8 hex>`. The PID prefix is what
+* `sweepStaleClaudeConfigMirrors` keys off to drop orphans from
+* crashed prior sessions; the 8-hex random suffix prevents collision
+* if a future caller (tests, internal relaunch) ever clears the cache
+* within a single PID lifetime.
+*
+* NOT exported — every consumer should go through `PATHS.CLAUDE_CONFIG_DIR`
+* so the homedir-mock pattern used in the test suite keeps working.
+*/
+let _claudeConfigDirSuffix;
+function claudeConfigDirSuffix() {
+	if (_claudeConfigDirSuffix === void 0) _claudeConfigDirSuffix = `${process.pid}-${randomBytes(4).toString("hex")}`;
+	return _claudeConfigDirSuffix;
+}
+async function ensurePaths() {
+	await fs.mkdir(PATHS.APP_DIR, { recursive: true });
+	await fs.mkdir(PATHS.CODEX_HOME, { recursive: true });
+	await fs.mkdir(PATHS.CLAUDE_RUNTIME_DIR, { recursive: true });
+	await chmodIfPossible(PATHS.CLAUDE_RUNTIME_DIR, 448);
+	await ensureFile(PATHS.GITHUB_TOKEN_PATH);
+	await sweepStaleRuntimeFiles().catch((err) => {
+		consola.debug("Runtime sweep skipped:", err);
+	});
+	await sweepStaleClaudeConfigMirrors().catch((err) => {
+		consola.debug("Per-launch claude-config sweep skipped:", err);
+	});
+	await sweepStalePeerAgentMdFiles().catch((err) => {
+		consola.debug("Peer-agent .md sweep skipped:", err);
+	});
+	await (async () => {
+		await (await import("./lifecycle-De6QsSv8.js")).sweepStaleWorktreesAtBoot();
+	})().catch((err) => {
+		consola.debug("Worker worktree boot sweep skipped:", err);
+	});
+}
+const CLAUDE_HOME_POLICY = new Map([
+	[".credentials.json", "ISOLATED"],
+	[".credentials.json.lock", "ISOLATED"],
+	[".oauth_refresh.lock", "ISOLATED"],
+	[".github-router-managed", "ISOLATED"],
+	["statsig", "ISOLATED"],
+	["cache", "ISOLATED"],
+	["logs", "ISOLATED"],
+	["paste-cache", "ISOLATED"],
+	["jobs", "ISOLATED"],
+	["daemon", "ISOLATED"],
+	["daemon.log", "ISOLATED"],
+	["projects", "SHARED"],
+	["sessions", "SHARED"],
+	["tasks", "SHARED"],
+	["todos", "SHARED"],
+	["transcripts", "SHARED"],
+	["shell-snapshots", "SHARED"],
+	["shell_snapshots", "SHARED"],
+	["plans", "SHARED"],
+	["file-history", "SHARED"],
+	["backups", "SHARED"]
+]);
+function policyFor(name) {
+	return CLAUDE_HOME_POLICY.get(name) ?? "MIRRORED";
+}
+/**
+* Names with `SHARED` policy, materialized once for iteration in
+* `ensureClaudeConfigMirror`'s post-copy phase.
+*/
+const SHARED_TOPLEVEL_NAMES = Array.from(CLAUDE_HOME_POLICY.entries()).filter(([, kind]) => kind === "SHARED").map(([name]) => name);
+/**
+* Marker file written into the router-owned CLAUDE_CONFIG_DIR so users
+* (and our own future sweeps) can identify that the dir is managed by
+* github-router. Content is informational only; no logic depends on
+* its presence.
+*/
+const MANAGED_MARKER_FILENAME = ".github-router-managed";
+/**
+* Synthetic Console OAuth credential the router writes into its own
+* `CLAUDE_CONFIG_DIR/.credentials.json` so spawned Claude Code (and
+* any teammates it spawns) can authenticate without a real user
+* `/login`.
+*
+* Schema verified verbatim from `claude` v2.1.140 binary, function
+* `guH` (the credentials-save mutation). Fields:
+*   - `accessToken` — sent as `Authorization: Bearer ...` to the
+*     proxy. Proxy accepts any bearer (per CLAUDE.md "doesn't enforce
+*     auth").
+*   - `refreshToken` — only used by Claude Code's reactive refresh
+*     path (function `nH8`), which fires on 401 from upstream. The
+*     proxy maintains the no-401 invariant on the Anthropic-shape
+*     boundary, so this is never invoked. Synthetic value is fine.
+*   - `expiresAt` — far-future (2099-01-01 ms epoch). Sidesteps the
+*     proactive refresh path (`R8H(expiresAt)` returns false).
+*   - `scopes` — claude-ai-shaped so `tB(scopes)` returns true,
+*     making `Hq()` true (full feature surface, not "inference only").
+*   - `subscriptionType` — `"max"`. Pure client-side label
+*     (`e7()` / `Zc_()` / `CZ1()`); no server validation since
+*     `CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1` suppresses
+*     subscription-validation calls. Picks the most-permissive gating.
+*/
+const SYNTHETIC_CREDENTIAL = { claudeAiOauth: {
+	accessToken: "github-router-synthetic",
+	refreshToken: "github-router-synthetic",
+	expiresAt: 40709088e5,
+	scopes: ["user:inference", "user:profile"],
+	subscriptionType: "max",
+	rateLimitTier: null,
+	clientId: "github-router"
+} };
+/**
+* Snapshot-copy the user's `~/.claude/` into the router-owned
+* CLAUDE_CONFIG_DIR (real files, not symlinks — symlinks don't isolate
+* writes), classifying each top-level entry per `CLAUDE_HOME_POLICY`:
+* ISOLATED entries are skipped, MIRRORED entries are copied, and
+* SHARED entries become directory symlinks back to `~/.claude/<X>` so
+* chat history (in `projects/<cwd-hash>/<session-uuid>.jsonl`) and
+* other durable user state flow between proxy and plain-`claude`
+* sessions. Then writes the synthetic `.credentials.json` so spawned
+* Claude Code (and teammates that inherit `CLAUDE_CONFIG_DIR`)
+* authenticate.
+*
+* Idempotent: only re-copies files whose source `mtime` is newer than
+* target; SHARED-symlink creation no-ops when the symlink already
+* points at the right target. Concurrent-safe: `mkdir({recursive:true})`
+* is idempotent; symlinks are created via atomic temp+rename so two
+* parallel github-router-claude startups can't race to EEXIST; the
+* credentials write uses temp-file + atomic rename so Claude Code's
+* `EZ1()` mtime watcher never sees a partial write.
+*
+* Walks with `lstat` (does NOT follow symlinks during traversal — a
+* symlink-into-`/` would otherwise let the walk escape). Symlink leaves
+* in the source tree are skipped during the MIRRORED copy walk (per the
+* symlink-confused-deputy security finding); SHARED symlinks are
+* created on the mirror side only, pointing at predetermined targets
+* inside the user's real `~/.claude/`.
+*
+* Caller is expected to invoke this after `ensurePaths()` and before
+* spawning Claude Code (`launchChild`). The mirror must exist before
+* the child reads it. Currently called from the `claude` subcommand
+* entry point only; `start` and `codex` subcommands don't need it.
+*/
+async function ensureClaudeConfigMirror(opts = {}) {
+	const realHome = opts.realHome ?? os.homedir();
+	const sourceDir = path.join(realHome, ".claude");
+	const targetDir = PATHS.CLAUDE_CONFIG_DIR;
+	await fs.mkdir(targetDir, {
+		recursive: true,
+		mode: 448
+	});
+	await chmodIfPossible(targetDir, 448);
+	let sourceExists = false;
+	try {
+		sourceExists = (await fs.stat(sourceDir)).isDirectory();
+	} catch (err) {
+		if (err.code !== "ENOENT") consola.debug(`ensureClaudeConfigMirror: cannot stat ${sourceDir}:`, err);
+	}
+	if (sourceExists) await mirrorDirRecursive(sourceDir, targetDir, "");
+	await fs.mkdir(path.join(targetDir, "agents"), { recursive: true });
+	for (const name of SHARED_TOPLEVEL_NAMES) await ensureSharedSymlink(name, sourceDir, targetDir).catch((err) => {
+		consola.debug(`ensureClaudeConfigMirror: SHARED symlink for ${name} skipped:`, err);
+	});
+	const credentialsPath = path.join(targetDir, ".credentials.json");
+	const desiredJson = JSON.stringify(SYNTHETIC_CREDENTIAL, null, 2);
+	let needsWrite = true;
+	try {
+		needsWrite = (await fs.readFile(credentialsPath, "utf8")).trim() !== desiredJson.trim();
+	} catch (err) {
+		if (err.code !== "ENOENT") consola.debug(`ensureClaudeConfigMirror: cannot read existing credentials:`, err);
+	}
+	if (needsWrite) {
+		const tempPath = `${credentialsPath}.${process.pid}.tmp`;
+		try {
+			await fs.writeFile(tempPath, desiredJson + "\n", {
+				mode: 384,
+				flag: "wx"
+			});
+			await fs.rename(tempPath, credentialsPath);
+		} catch (err) {
+			if (err.code === "EEXIST") consola.debug("ensureClaudeConfigMirror: concurrent credentials-write detected, skipping");
+			else {
+				await fs.unlink(tempPath).catch(() => {});
+				throw err;
+			}
+		}
+	}
+	await chmodIfPossible(credentialsPath, 384);
+	const markerPath = path.join(targetDir, MANAGED_MARKER_FILENAME);
+	let markerExists = false;
+	try {
+		const markerStat = await fs.lstat(markerPath);
+		if (markerStat.isFile()) markerExists = true;
+		else {
+			consola.warn(`ensureClaudeConfigMirror: ${markerPath} exists but is not a regular file (mode=${markerStat.mode.toString(8)}); refusing to overwrite. Inspect and remove manually if safe.`);
+			markerExists = true;
+		}
+	} catch (err) {
+		if (err.code !== "ENOENT") {
+			consola.debug(`ensureClaudeConfigMirror: cannot lstat marker:`, err);
+			markerExists = true;
+		}
+	}
+	if (!markerExists) {
+		const body = `Managed by github-router. Created ${(/* @__PURE__ */ new Date()).toISOString()}. Safe to delete (will be recreated).\n`;
+		await fs.writeFile(markerPath, body, {
+			mode: 384,
+			flag: "wx"
+		}).catch((err) => {
+			consola.debug(`ensureClaudeConfigMirror: marker write skipped:`, err);
+		});
+	}
+}
+/**
+* Recursive snapshot-copy helper for `ensureClaudeConfigMirror`. Walks
+* `sourceDir/relPath` and mirrors each entry into `targetDir/relPath`.
+* - Top-level entries are dispatched on `policyFor(name)`:
+*     - `ISOLATED` → skipped entirely (no presence in mirror).
+*     - `SHARED`   → skipped from the copy walk; handled by
+*                    `ensureSharedSymlink` in the post-copy phase.
+*     - `MIRRORED` → copied as today.
+* - Symlinks are skipped (not recreated) so the walk never follows out
+*   of `sourceDir` and we don't reintroduce a confused-deputy vector.
+* - Files copy only if source mtime > target mtime (idempotent).
+*/
+async function mirrorDirRecursive(sourceDir, targetDir, relPath) {
+	const sourcePath = path.join(sourceDir, relPath);
+	let entries;
+	try {
+		entries = await fs.readdir(sourcePath);
+	} catch (err) {
+		if (err.code === "ENOENT") return;
+		consola.debug(`mirrorDirRecursive: cannot readdir ${sourcePath}:`, err);
+		return;
+	}
+	for (const name of entries) {
+		if (relPath === "") {
+			const policy = policyFor(name);
+			if (policy === "ISOLATED" || policy === "SHARED") continue;
+		}
+		const childRel = relPath === "" ? name : path.join(relPath, name);
+		const childSource = path.join(sourceDir, childRel);
+		const childTarget = path.join(targetDir, childRel);
+		let stats;
+		try {
+			stats = await fs.lstat(childSource);
+		} catch (err) {
+			consola.debug(`mirrorDirRecursive: cannot lstat ${childSource}:`, err);
+			continue;
+		}
+		if (stats.isSymbolicLink()) {
+			consola.debug(`mirrorDirRecursive: skipping symlink ${childSource} (security policy)`);
+			continue;
+		}
+		if (stats.isDirectory()) {
+			await fs.mkdir(childTarget, { recursive: true });
+			await mirrorDirRecursive(sourceDir, targetDir, childRel);
+			continue;
+		}
+		if (stats.isFile()) {
+			let needsCopy = true;
+			try {
+				const targetStat = await fs.lstat(childTarget);
+				if (targetStat.isFile() && targetStat.mtimeMs >= stats.mtimeMs) needsCopy = false;
+			} catch (err) {
+				if (err.code !== "ENOENT") consola.debug(`mirrorDirRecursive: lstat target ${childTarget}:`, err);
+			}
+			if (!needsCopy) continue;
+			try {
+				await fs.copyFile(childSource, childTarget, fs.constants.COPYFILE_FICLONE);
+			} catch (err) {
+				consola.debug(`mirrorDirRecursive: copy ${childSource} → ${childTarget}:`, err);
+			}
+			continue;
+		}
+	}
+}
+/**
+* Create or refresh a directory symlink `<mirrorDir>/<name>` →
+* `<sourceDir>/<name>` (i.e. `~/.local/share/github-router/claude-config/<X>`
+* → `~/.claude/<X>`). Idempotent and concurrent-safe.
+*
+* Behavior depending on what's already at `<mirrorDir>/<name>`:
+*   - Symlink with the correct target → no-op.
+*   - Symlink with the wrong target → replace atomically.
+*   - Empty real directory (legacy mirror leftover with no proxy-session
+*     writes accumulated yet) → `rmdir` and replace with the symlink.
+*     Safe by definition: `fs.rmdir` only succeeds on empty dirs (POSIX),
+*     so there is nothing to lose. Smooths the upgrade path for users
+*     whose legacy mirror dirs were never written to.
+*   - Non-empty real directory or regular file → loud-warn and skip.
+*     Auto-deleting would destroy proxy-session writes from the prior
+*     version. The user is told the exact path and remediation.
+*   - ENOENT → create symlink atomically.
+*
+* Atomic-creation: symlinks are first written at a unique side-path
+* (`<mirrorDir>/<name>.tmp.<pid>.<8 hex>`) and then `fs.rename()`d into
+* place. POSIX `rename` is atomic and replaces an existing symlink in
+* a single step, so two concurrent `github-router claude` startups can't
+* race to `EEXIST` — the loser's rename just overwrites the winner's
+* symlink with an identical one. Gemini-critic 3-lab-review finding.
+*
+* Pre-creates `~/.claude/<name>/` as a real directory if missing so
+* Claude Code's writes through the symlink don't fail with ENOENT.
+*/
+async function ensureSharedSymlink(name, sourceDir, mirrorDir) {
+	const sourcePath = path.join(sourceDir, name);
+	const mirrorPath = path.join(mirrorDir, name);
+	try {
+		await fs.mkdir(sourcePath, { recursive: true });
+	} catch (err) {
+		consola.warn(`ensureSharedSymlink(${name}): cannot mkdir source ${sourcePath}:`, err);
+		return;
+	}
+	let existing = null;
+	try {
+		existing = await fs.lstat(mirrorPath);
+	} catch (err) {
+		if (err.code !== "ENOENT") {
+			consola.warn(`ensureSharedSymlink(${name}): cannot lstat ${mirrorPath}:`, err);
+			return;
+		}
+	}
+	if (existing?.isSymbolicLink()) {
+		const sourceReal = await fs.realpath(sourcePath).catch(() => null);
+		if (sourceReal === null) {
+			consola.warn(`ensureSharedSymlink(${name}): cannot resolve source ${sourcePath} — skipping junction creation to avoid silent every-startup churn. Inspect the source dir's permissions / OneDrive sync state and re-launch.`);
+			return;
+		}
+		const currentReal = await fs.realpath(mirrorPath).catch(() => null);
+		if (currentReal !== null && currentReal === sourceReal) return;
+	} else if (existing?.isDirectory()) try {
+		await fs.rmdir(mirrorPath);
+	} catch (err) {
+		consola.warn(`ensureClaudeConfigMirror: ${mirrorPath} is a non-empty real directory from an older github-router version; refusing to clobber. If you want chat-history continuity for "${name}", move its contents into ${sourcePath}/ then delete ${mirrorPath}; the mirror will create a symlink (junction on Windows) on next launch. (rmdir error: ${err.code ?? "unknown"})`);
+		return;
+	}
+	else if (existing) {
+		consola.warn(`ensureClaudeConfigMirror: ${mirrorPath} is a regular file at a SHARED symlink slot; refusing to clobber. Inspect and remove manually if safe; the mirror will create a symlink on next launch.`);
+		return;
+	}
+	const tempPath = `${mirrorPath}.tmp.${process.pid}.${randomBytes(4).toString("hex")}`;
+	try {
+		await fs.symlink(sourcePath, tempPath, process.platform === "win32" ? "junction" : "dir");
+	} catch (err) {
+		consola.warn(`ensureSharedSymlink(${name}): symlink ${tempPath} failed:`, err);
+		return;
+	}
+	if (process.platform === "win32" && existing?.isSymbolicLink()) await fs.unlink(mirrorPath).catch(() => {});
+	try {
+		await fs.rename(tempPath, mirrorPath);
+	} catch (err) {
+		consola.warn(`ensureSharedSymlink(${name}): rename ${tempPath} → ${mirrorPath} failed:`, err);
+		await fs.unlink(tempPath).catch(() => {});
+	}
+}
+async function ensureFile(filePath) {
+	try {
+		await fs.access(filePath, fs.constants.W_OK);
+	} catch {
+		await fs.writeFile(filePath, "");
+		await fs.chmod(filePath, 384);
+	}
+}
+async function chmodIfPossible(target, mode) {
+	if (process.platform === "win32") return;
+	try {
+		await fs.chmod(target, mode);
+	} catch (err) {
+		consola.debug(`chmod ${target} ${mode.toString(8)} failed:`, err);
+	}
+}
+/**
+* Write a runtime tempfile securely.
+*
+*   - Mode `0o600` so other local users (multi-tenant boxes, shared
+*     dev containers) can't read the per-launch nonce or runtime URL.
+*   - `flag: "wx"` (O_CREAT | O_EXCL | O_WRONLY) refuses to overwrite
+*     an existing path. POSIX open(2) with O_EXCL also rejects
+*     pre-placed symlinks, killing the symlink-clobber attack vector.
+*   - The caller's responsibility to pick a path NOT yet in use.
+*     We intentionally do NOT pre-unlink: an `lstat` + `unlink` +
+*     `open(O_EXCL)` sequence still has a TOCTOU window where an
+*     attacker can drop a symlink between unlink and open. Letting
+*     `wx` fail is the safer behavior — surfaces the conflict
+*     instead of silently following.
+*/
+async function writeRuntimeFileSecure(filePath, content) {
+	await fs.writeFile(filePath, content, {
+		mode: 384,
+		flag: "wx"
+	});
+}
+/**
+* Sweep stale runtime tempfiles. Removes files whose embedded PID is no
+* longer a live process. A proxy crash (`kill -9`, OS reboot) leaves
+* orphans that would otherwise accumulate forever — and worse, a stale
+* config pointing at a now-recycled port could route MCP traffic to
+* whatever process bound that port next.
+*
+* Naming convention: `peer-mcp-<pid>.json` and `peer-agents-<pid>.json`.
+* Files not matching either pattern are left alone — this directory
+* is shared with future runtime artifacts.
+*
+* We deliberately do NOT age-prune files whose PID is alive. A
+* legitimately long-running proxy can have a tempfile older than any
+* arbitrary threshold; deleting it out from under the live process
+* breaks the spawned Claude Code child's MCP/agent wiring with no clean
+* recovery. PID-wraparound risk is mitigated by (a) PID reuse on Linux
+* being slow under typical loads, and (b) the file is only consulted by
+* github-router itself — an unrelated process that inherits the PID
+* never reads it.
+*/
+async function sweepStaleRuntimeFiles() {
+	const dir = PATHS.CLAUDE_RUNTIME_DIR;
+	let entries;
+	try {
+		entries = await fs.readdir(dir);
+	} catch (err) {
+		if (err.code === "ENOENT") return;
+		throw err;
+	}
+	for (const name of entries) {
+		const match = /^peer-(?:mcp|agents)-(\d+)(?:-[0-9a-f]+)?\.json$/.exec(name);
+		if (!match) continue;
+		const pid = Number.parseInt(match[1], 10);
+		const filePath = path.join(dir, name);
+		if (isPidAlive$1(pid)) continue;
+		await fs.unlink(filePath).catch(() => {});
+	}
+}
+function isPidAlive$1(pid) {
+	if (!Number.isInteger(pid) || pid <= 0) return false;
+	try {
+		process.kill(pid, 0);
+		return true;
+	} catch (err) {
+		if (err.code === "EPERM") return true;
+		return false;
+	}
+}
+/**
+* Sweep stale peer-* subagent .md files from the router-owned
+* `CLAUDE_CONFIG_DIR/agents/`. Phase 2.5 writes one .md per peer agent
+* into Claude Code's agents directory (now our config dir's `agents/`
+* subdir, since `getClaudeCodeEnvVars` points `CLAUDE_CONFIG_DIR` at
+* `PATHS.CLAUDE_CONFIG_DIR`) so they appear in Claude Code's Task
+* `subagent_type` enum. Files are named `peer-<pid>-<rand>-<agentName>.md`
+* so this sweep can drop orphans from crashed prior proxy sessions
+* without touching the user's own .md files (which were copied into
+* the same dir during `ensureClaudeConfigMirror`).
+*
+* Same liveness rule as `sweepStaleRuntimeFiles`: only delete when the
+* file's embedded PID is no longer alive. Live PIDs keep their files —
+* a long-running proxy doesn't lose its agent registrations.
+*
+* Regex tightening (Phase 2.6, codex-critic + gemini-critic 2-lab finding):
+* the original sweep regex `^peer-(\d+)(?:-[0-9a-f]+)?-.+\.md$` was too
+* permissive — a user-authored `peer-12345-meeting-notes.md` matches
+* (`12345` = "PID", `-meeting-notes` = trailing `.+`) and would be
+* silently unlinked when 12345 happens to be a dead PID (overwhelmingly
+* likely). Tightened to require BOTH the 8-hex-char random suffix AND
+* an exact-match persona name suffix, eliminating the risk for any
+* realistic user filename.
+*/
+async function sweepStalePeerAgentMdFiles() {
+	const dir = path.join(PATHS.CLAUDE_CONFIG_DIR, "agents");
+	let entries;
+	try {
+		entries = await fs.readdir(dir);
+	} catch (err) {
+		if (err.code === "ENOENT") return;
+		throw err;
+	}
+	for (const name of entries) {
+		const match = PEER_AGENT_MD_FILENAME.exec(name);
+		if (!match) continue;
+		if (isPidAlive$1(Number.parseInt(match[1], 10))) continue;
+		await fs.unlink(path.join(dir, name)).catch(() => {});
+	}
+}
+/**
+* Strict regex matching only files this proxy writes:
+*   peer-<pid>-<8 hex>-<exact persona/coordinator name>.md
+* The persona-name allowlist is the load-bearing protection against
+* deleting user files. Update this list whenever a new persona is added
+* to `PERSONAS_READ` / `PERSONAS_WRITE` in `peer-mcp-personas.ts` or a
+* new coordinator-style agent is added in `codex-mcp-config.ts`.
+*/
+const PEER_AGENT_MD_FILENAME = /^peer-(\d+)-[0-9a-f]{8}-(?:codex-critic|codex-reviewer|gemini-critic|codex-implementer|peer-review-coordinator)\.md$/;
+/**
+* Strict regex matching only per-launch claude-config mirror dirs this
+* proxy creates: `<pid>-<8 hex>`. Anchored to the entire entry name so
+* user-authored siblings under `<appDir>/claude-config/` (if any) are
+* untouchable. The PID prefix is what `sweepStaleClaudeConfigMirrors`
+* keys off; the 8-hex random suffix matches `randomBytes(4)` exactly
+* (no `?` — files created by a different shape are not ours).
+*/
+const CLAUDE_CONFIG_MIRROR_DIR = /^(\d+)-[0-9a-f]{8}$/;
+/**
+* Sweep stale per-launch CLAUDE_CONFIG_DIR mirrors left behind by
+* crashed prior proxy sessions. Symmetric to `sweepStalePeerAgentMdFiles`
+* — same liveness rule (only delete when the embedded PID is dead),
+* same strict regex (the dir-name allowlist is the load-bearing
+* protection against deleting user-authored siblings).
+*
+* Scans `<appDir>/claude-config/` (the parent of the per-launch dirs).
+* Each entry whose name matches `<pid>-<8 hex>` AND whose PID is no
+* longer alive is removed recursively. `fs.rm({recursive: true})`
+* walks the tree calling `unlink` on symlinks/junctions rather than
+* following them, so the SHARED junctions back to `~/.claude/<X>`
+* are removed without touching their targets.
+*
+* Tolerates missing parent dir (first-ever launch, or user wiped it).
+*/
+async function sweepStaleClaudeConfigMirrors() {
+	const parent = path.join(appDir(), "claude-config");
+	let entries;
+	try {
+		entries = await fs.readdir(parent);
+	} catch (err) {
+		if (err.code === "ENOENT") return;
+		throw err;
+	}
+	for (const name of entries) {
+		const match = CLAUDE_CONFIG_MIRROR_DIR.exec(name);
+		if (!match) continue;
+		if (isPidAlive$1(Number.parseInt(match[1], 10))) continue;
+		await fs.rm(path.join(parent, name), {
+			recursive: true,
+			force: true
+		}).catch((err) => {
+			consola.debug(`sweepStaleClaudeConfigMirrors: cannot rm ${name}:`, err);
+		});
+	}
+}
+/**
+* Remove THIS launch's per-launch CLAUDE_CONFIG_DIR on shutdown.
+* Best-effort: a failure here must not block process exit (the caller
+* wraps this in a `.catch`-equivalent via `launchChild`'s onShutdown
+* try/catch). Symmetric to `writePeerMcpRuntimeFiles`'s `cleanup()`:
+* we own this dir for the lifetime of the proxy, so removing it on
+* normal shutdown is correct; the boot-time sweep handles the
+* abnormal-exit case.
+*
+* `fs.rm({recursive: true})` removes SHARED junctions via unlink
+* (does NOT follow them into the user's real `~/.claude/<X>`).
+*/
+async function removeOwnClaudeConfigMirror() {
+	const dir = PATHS.CLAUDE_CONFIG_DIR;
+	await fs.rm(dir, {
+		recursive: true,
+		force: true
+	}).catch((err) => {
+		consola.debug(`removeOwnClaudeConfigMirror: rm ${dir} skipped:`, err);
+	});
+}
+
+//#endregion
+//#region src/lib/worker-agent/lifecycle.ts
+/**
+* Same regex worktree.ts uses for its per-call age sweep — kept in
+* sync intentionally. `<pid>-<uuid>-<8hex>` strictly.
+*/
+const WORKTREE_DIR_NAME_RE = /^(\d+)-([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})-([0-9a-f]{8})$/;
+/**
+* Cap on the ledger: how many repos we remember across boots, and how
+* old an entry may be before it's pruned. Both are belt-and-suspenders
+* — the per-call age sweep is the primary guard against accumulation
+* inside any single repo.
+*/
+const LEDGER_MAX_ENTRIES = 100;
+const LEDGER_MAX_AGE_MS = 720 * 60 * 60 * 1e3;
+/**
+* Set-like in-memory registry of worktrees this proxy created. Engine
+* passes it to `createWorktree` so per-call cleanup deletes the entry
+* on success; the signal handlers walk what's left at shutdown.
+*
+* Not a bare `Set` because we want to expose only the operations we
+* actually use, and we want a stable testable surface.
+*/
+var WorktreeRegistry = class {
+	entries = /* @__PURE__ */ new Set();
+	add(entry) {
+		this.entries.add(entry);
+	}
+	delete(entry) {
+		this.entries.delete(entry);
+	}
+	has(entry) {
+		return this.entries.has(entry);
+	}
+	values() {
+		return this.entries.values();
+	}
+	get size() {
+		return this.entries.size;
+	}
+	clear() {
+		this.entries.clear();
+	}
+};
+let _instanceUuid = null;
+/**
+* Stable UUID4 generated once per proxy process. Used in worktree
+* dir/branch names so the boot sweep can reliably distinguish "this
+* proxy's still-live worktrees" from "stranded dirs from a prior
+* proxy that happens to have a recycled PID" — Docker PID-1 across
+* container restarts is the classic case (peer-review HIGH finding).
+*/
+function getInstanceUuid() {
+	if (_instanceUuid === null) _instanceUuid = randomUUID();
+	return _instanceUuid;
+}
+let _registered = false;
+let _activeRegistry = null;
+let _exitHandler = null;
+let _sigintHandler = null;
+let _sigtermHandler = null;
+/**
+* Synchronous cleanup of every registry entry. Best-effort:
+* `execFileSync` failures are swallowed (the dir may have been
+* removed already, or git may not be on PATH any more in some
+* environments). After a successful removal we drop the entry from
+* the registry so a second call is a true no-op.
+*
+* Synchronous on purpose — exit handlers can't reliably await async
+* work; the process would die before the promise settled.
+*/
+function sweepRegistry() {
+	if (!_activeRegistry) return;
+	const snapshot = [..._activeRegistry.values()];
+	for (const entry of snapshot) {
+		try {
+			execFileSync("git", [
+				"-C",
+				entry.repoRoot,
+				"worktree",
+				"remove",
+				"--force",
+				entry.dir
+			], {
+				stdio: "ignore",
+				timeout: 1e4,
+				windowsHide: true
+			});
+		} catch {}
+		try {
+			execFileSync("git", [
+				"-C",
+				entry.repoRoot,
+				"branch",
+				"-D",
+				entry.branch
+			], {
+				stdio: "ignore",
+				timeout: 5e3,
+				windowsHide: true
+			});
+		} catch {}
+		_activeRegistry.delete(entry);
+	}
+}
+/**
+* Wire up SIGINT/SIGTERM/exit handlers that walk the registry and
+* remove every entry. Idempotent: subsequent calls swap the registry
+* pointer but do NOT register additional process listeners (otherwise
+* we'd leak listeners on every `runWorkerAgent`).
+*
+* Signal handlers re-raise the signal after sweeping. Naively running
+* the sweep on SIGINT/SIGTERM and returning would *suppress* the
+* signal: Node defaults to terminating the process on these, but only
+* if no user listener is attached. Once we attach a listener, the
+* default action is cancelled and the process keeps running — which
+* means Ctrl-C would clean worktrees but not actually exit, leaving
+* orphan processes in dev. The `process.kill(pid, sig)` re-raise
+* after removing our own listener restores the default behaviour
+* (the second delivery now hits an empty listener list, so Node
+* terminates with the conventional `128 + signum` exit code).
+*/
+function registerExitHandlers(registry) {
+	_activeRegistry = registry;
+	if (_registered) return;
+	_registered = true;
+	_exitHandler = () => sweepRegistry();
+	_sigintHandler = () => {
+		sweepRegistry();
+		if (_sigintHandler) process$1.off("SIGINT", _sigintHandler);
+		process$1.kill(process$1.pid, "SIGINT");
+	};
+	_sigtermHandler = () => {
+		sweepRegistry();
+		if (_sigtermHandler) process$1.off("SIGTERM", _sigtermHandler);
+		process$1.kill(process$1.pid, "SIGTERM");
+	};
+	process$1.on("SIGINT", _sigintHandler);
+	process$1.on("SIGTERM", _sigtermHandler);
+	process$1.on("exit", _exitHandler);
+}
+function ledgerPath() {
+	return path.join(PATHS.APP_DIR, "worker-repos.json");
+}
+async function readLedger() {
+	let raw;
+	try {
+		raw = await fs.readFile(ledgerPath(), "utf8");
+	} catch (err) {
+		if (err.code === "ENOENT") return { entries: [] };
+		return { entries: [] };
+	}
+	try {
+		const parsed = JSON.parse(raw);
+		if (!parsed || !Array.isArray(parsed.entries)) return { entries: [] };
+		const cleaned = [];
+		for (const e of parsed.entries) if (e && typeof e === "object" && typeof e.repoRoot === "string" && typeof e.lastSeenMs === "number") cleaned.push({
+			repoRoot: e.repoRoot,
+			lastSeenMs: e.lastSeenMs
+		});
+		return { entries: cleaned };
+	} catch {
+		return { entries: [] };
+	}
+}
+/**
+* Per-process serializer for ledger writes. Multiple concurrent
+* `recordWorkerRepo` calls (legitimate: several workers may start at
+* once) would otherwise race read-modify-write on the JSON file. Each
+* call chains onto the previous so the on-disk sequence is
+* deterministic from this process's perspective.
+*
+* Cross-process safety is provided by the atomic temp+rename below,
+* which makes the final state of the file always be a well-formed
+* full snapshot from ONE writer — never a partial write or
+* interleaved JSON.
+*/
+let _ledgerChain = Promise.resolve();
+/**
+* Append `repoRoot` to the ledger (or update its `lastSeenMs`).
+* Atomic temp+rename per peer review.
+*/
+function recordWorkerRepo(repoRoot) {
+	const next = _ledgerChain.then(async () => {
+		await fs.mkdir(PATHS.APP_DIR, { recursive: true });
+		const filtered = (await readLedger()).entries.filter((e) => e.repoRoot !== repoRoot);
+		filtered.push({
+			repoRoot,
+			lastSeenMs: Date.now()
+		});
+		const now = Date.now();
+		const ledger = { entries: filtered.filter((e) => now - e.lastSeenMs < LEDGER_MAX_AGE_MS).slice(-LEDGER_MAX_ENTRIES) };
+		const tmp = `${ledgerPath()}.tmp.${process$1.pid}.${randomBytes(4).toString("hex")}`;
+		try {
+			await writeRuntimeFileSecure(tmp, JSON.stringify(ledger, null, 2));
+			await fs.rename(tmp, ledgerPath());
+		} catch (err) {
+			await fs.unlink(tmp).catch(() => {});
+			throw err;
+		}
+	});
+	_ledgerChain = next.catch(() => void 0);
+	return next;
+}
+function isPidAlive(pid) {
+	if (!Number.isInteger(pid) || pid <= 0) return false;
+	try {
+		process$1.kill(pid, 0);
+		return true;
+	} catch (err) {
+		if (err.code === "EPERM") return true;
+		return false;
+	}
+}
+/**
+* Boot-time sweep. For every repo we recorded in the ledger,
+* enumerate `<repoRoot>/.git/worker-worktrees/` (the conventional
+* location — for repos already inside a worktree, the actual
+* `git-common-dir` may differ, in which case we'll miss this batch
+* and the per-call age sweep will catch them within 7 days) and
+* remove dirs that aren't owned by THIS proxy.
+*
+* Ownership rule: dir is "ours" iff its embedded PID is alive AND
+* its embedded UUID equals `getInstanceUuid()`. Either condition
+* failing → remove.
+*/
+async function sweepStaleWorktreesAtBoot() {
+	const ledger = await readLedger();
+	if (ledger.entries.length === 0) return;
+	const currentUuid = getInstanceUuid();
+	for (const entry of ledger.entries) {
+		const parent = path.join(entry.repoRoot, ".git", "worker-worktrees");
+		let names;
+		try {
+			names = await fs.readdir(parent);
+		} catch {
+			continue;
+		}
+		for (const name of names) {
+			const m = WORKTREE_DIR_NAME_RE.exec(name);
+			if (!m) continue;
+			const pid = Number.parseInt(m[1], 10);
+			const uuid = m[2];
+			if (isPidAlive(pid) && uuid === currentUuid) continue;
+			const fullDir = path.join(parent, name);
+			const branch = `worker/${pid}-${uuid}-${m[3]}`;
+			try {
+				execFileSync("git", [
+					"-C",
+					entry.repoRoot,
+					"worktree",
+					"remove",
+					"--force",
+					fullDir
+				], {
+					stdio: "ignore",
+					timeout: 1e4,
+					windowsHide: true
+				});
+			} catch {}
+			try {
+				execFileSync("git", [
+					"-C",
+					entry.repoRoot,
+					"branch",
+					"-D",
+					branch
+				], {
+					stdio: "ignore",
+					timeout: 5e3,
+					windowsHide: true
+				});
+			} catch {}
+			try {
+				await fs.rm(fullDir, {
+					recursive: true,
+					force: true
+				});
+			} catch {}
+		}
+	}
+}
+
+//#endregion
+export { sweepRegistry as a, ensureClaudeConfigMirror as c, writeRuntimeFileSecure as d, registerExitHandlers as i, ensurePaths as l, getInstanceUuid as n, sweepStaleWorktreesAtBoot as o, recordWorkerRepo as r, PATHS as s, WorktreeRegistry as t, removeOwnClaudeConfigMirror as u };
+//# sourceMappingURL=lifecycle-BrNqqJZH.js.map