mindexec-ai 0.2.385

package/scripts/remote-registry-follower-smoke.mjs

@@ -0,0 +1,752 @@
+#!/usr/bin/env node
+
+import assert from 'node:assert/strict';
+import { spawn } from 'node:child_process';
+import { mkdir, mkdtemp, rm, writeFile } from 'node:fs/promises';
+import { createServer } from 'node:http';
+import net from 'node:net';
+import os from 'node:os';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { WebSocketServer } from 'ws';
+
+const BRIDGE_TOKEN = 'remote-registry-follower-smoke-token';
+const PAIR_TOKEN = 'remote-registry-follower-pair-token';
+const USER_ID = '11111111-2222-4333-8444-555555555555';
+const SUPABASE_KEY = 'remote-registry-follower-key';
+const ACCESS_TOKEN = 'remote-registry-follower-access-token';
+const EXPIRED_ACCESS_TOKEN = 'remote-registry-follower-expired-access-token';
+const REFRESHED_ACCESS_TOKEN = 'remote-registry-follower-refreshed-access-token';
+const REFRESH_TOKEN = 'remote-registry-follower-refresh-token';
+const LOCAL_BRIDGE_DIR = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..');
+
+function wait(ms) {
+    return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+async function findFreePort() {
+    return await new Promise((resolve, reject) => {
+        const server = net.createServer();
+        server.unref();
+        server.once('error', reject);
+        server.listen(0, '127.0.0.1', () => {
+            const address = server.address();
+            const port = typeof address === 'object' && address ? address.port : 0;
+            server.close(() => resolve(port));
+        });
+    });
+}
+
+async function fetchJson(url, options = {}) {
+    const response = await fetch(url, {
+        ...options,
+        headers: {
+            ...(options.body ? { 'Content-Type': 'application/json' } : {}),
+            'X-Bridge-Token': options.token || BRIDGE_TOKEN,
+            ...(options.headers || {})
+        }
+    });
+    let payload = null;
+    try {
+        payload = await response.json();
+    } catch {
+        // Empty responses are allowed in failure diagnostics.
+    }
+    return { ok: response.ok, status: response.status, payload };
+}
+
+async function waitFor(predicate, timeoutMs, label) {
+    const startedAt = Date.now();
+    let lastError = null;
+    while (Date.now() - startedAt < timeoutMs) {
+        try {
+            const value = await predicate();
+            if (value) {
+                return value;
+            }
+        } catch (error) {
+            lastError = error;
+        }
+        await wait(100);
+    }
+    throw new Error(`Timed out waiting for ${label}${lastError ? `: ${lastError.message}` : ''}.`);
+}
+
+function createRegistryTarget({ endpoint, endpointCandidates, leaseId, active = true, pairToken = PAIR_TOKEN }) {
+    return {
+        user_id: USER_ID,
+        active,
+        endpoint,
+        endpoint_candidates: endpointCandidates,
+        pair_token: pairToken,
+        lease_id: leaseId,
+        node_id: 'remote-registry-follower-node',
+        host_instance_id: `host-${leaseId}`,
+        expires_at: new Date(Date.now() + 60_000).toISOString()
+    };
+}
+
+function startFakeSupabase(getTarget, setTarget = null) {
+    const requests = [];
+    const realtimeClients = new Set();
+    const validAccessTokens = new Set([ACCESS_TOKEN]);
+    const assertRegistryAuth = req => {
+        assert.equal(String(req.headers.apikey || ''), SUPABASE_KEY);
+        const authorization = String(req.headers.authorization || '');
+        assert.ok(
+            validAccessTokens.has(authorization.replace(/^Bearer\s+/i, '')),
+            `unexpected registry authorization: ${authorization}`);
+    };
+    const server = createServer(async (req, res) => {
+        const readBody = () => new Promise(resolve => {
+            let body = '';
+            req.on('data', chunk => {
+                body += chunk.toString();
+            });
+            req.on('end', () => resolve(body));
+        });
+        const parsed = new URL(req.url || '/', 'http://127.0.0.1');
+        requests.push({
+            method: req.method,
+            pathname: parsed.pathname,
+            authorization: req.headers.authorization || '',
+            apikey: req.headers.apikey || ''
+        });
+
+        if (req.method === 'GET' && parsed.pathname === '/rest/v1/remote_host_targets') {
+            assertRegistryAuth(req);
+            res.writeHead(200, {
+                'Content-Type': 'application/json',
+                'Cache-Control': 'no-store'
+            });
+            const target = getTarget();
+            res.end(JSON.stringify(target ? [target] : []));
+            return;
+        }
+
+        if (req.method === 'POST' && parsed.pathname === '/rest/v1/rpc/set_remote_host_target') {
+            assertRegistryAuth(req);
+            const body = JSON.parse(await readBody() || '{}');
+            const now = Date.now();
+            const existing = getTarget();
+            const sameLease = existing
+                && String(existing.lease_id || '') === String(body.p_lease_id || '')
+                && String(existing.host_instance_id || '') === String(body.p_host_instance_id || '');
+            const expired = !existing?.expires_at || Date.parse(existing.expires_at) <= now;
+            if (existing?.active === true && !sameLease && !expired && body.p_takeover !== true) {
+                res.writeHead(200, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify([{ ok: false, reason: 'host-target-taken' }]));
+                return;
+            }
+
+            setTarget?.({
+                user_id: USER_ID,
+                active: true,
+                endpoint: String(body.p_endpoint || ''),
+                endpoint_candidates: Array.isArray(body.p_endpoint_candidates)
+                    ? body.p_endpoint_candidates
+                    : [String(body.p_endpoint || '')].filter(Boolean),
+                pair_token: String(body.p_pair_token || ''),
+                lease_id: String(body.p_lease_id || ''),
+                node_id: String(body.p_node_id || ''),
+                host_instance_id: String(body.p_host_instance_id || ''),
+                expires_at: String(body.p_expires_at || new Date(Date.now() + 60_000).toISOString())
+            });
+            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify([{ ok: true, reason: 'ok' }]));
+            return;
+        }
+
+        if (req.method === 'POST' && parsed.pathname === '/auth/v1/token') {
+            assert.equal(parsed.searchParams.get('grant_type'), 'refresh_token');
+            assert.equal(String(req.headers.apikey || ''), SUPABASE_KEY);
+            assert.equal(String(req.headers.authorization || ''), `Bearer ${SUPABASE_KEY}`);
+            const body = JSON.parse(await readBody() || '{}');
+            assert.equal(body.refresh_token, REFRESH_TOKEN);
+            validAccessTokens.add(REFRESHED_ACCESS_TOKEN);
+            res.writeHead(200, {
+                'Content-Type': 'application/json',
+                'Cache-Control': 'no-store'
+            });
+            res.end(JSON.stringify({
+                access_token: REFRESHED_ACCESS_TOKEN,
+                refresh_token: REFRESH_TOKEN,
+                token_type: 'bearer',
+                expires_in: 3600,
+                expires_at: Math.floor(Date.now() / 1000) + 3600,
+                user: {
+                    id: USER_ID,
+                    email: 'remote-registry-follower@example.test'
+                }
+            }));
+            return;
+        }
+
+        res.writeHead(404, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'not-found' }));
+    });
+    const realtime = new WebSocketServer({ noServer: true });
+
+    realtime.on('connection', (ws, req) => {
+        realtimeClients.add(ws);
+        ws.on('message', data => {
+            const text = data.toString();
+            let message = null;
+            try {
+                message = JSON.parse(text);
+            } catch {
+                return;
+            }
+
+            if (message.event === 'phx_join') {
+                assert.equal(String(req.headers.apikey || ''), SUPABASE_KEY);
+                assert.ok(validAccessTokens.has(String(req.headers.authorization || '').replace(/^Bearer\s+/i, '')));
+                assert.ok(validAccessTokens.has(String(message.payload?.access_token || '')));
+                assert.deepEqual(
+                    message.payload?.config?.postgres_changes?.[0],
+                    {
+                        event: '*',
+                        schema: 'public',
+                        table: 'remote_host_targets',
+                        filter: `user_id=eq.${USER_ID}`
+                    });
+                ws.remoteRegistryTopic = message.topic;
+                ws.send(JSON.stringify({
+                    topic: message.topic,
+                    event: 'phx_reply',
+                    payload: {
+                        status: 'ok',
+                        response: {
+                            postgres_changes: [
+                                {
+                                    id: 1,
+                                    event: '*',
+                                    schema: 'public',
+                                    table: 'remote_host_targets'
+                                }
+                            ]
+                        }
+                    },
+                    ref: message.ref,
+                    join_ref: message.join_ref
+                }));
+                return;
+            }
+
+            if (message.event === 'heartbeat') {
+                ws.send(JSON.stringify({
+                    topic: message.topic,
+                    event: 'phx_reply',
+                    payload: { status: 'ok', response: {} },
+                    ref: message.ref
+                }));
+            }
+        });
+        ws.on('close', () => realtimeClients.delete(ws));
+    });
+
+    server.on('upgrade', (req, socket, head) => {
+        const parsed = new URL(req.url || '/', 'http://127.0.0.1');
+        if (parsed.pathname !== '/realtime/v1/websocket') {
+            socket.destroy();
+            return;
+        }
+
+        realtime.handleUpgrade(req, socket, head, ws => {
+            realtime.emit('connection', ws, req);
+        });
+    });
+
+    return new Promise((resolve, reject) => {
+        server.once('error', reject);
+        server.listen(0, '127.0.0.1', () => {
+            const address = server.address();
+            const port = typeof address === 'object' && address ? address.port : 0;
+            resolve({
+                url: `http://127.0.0.1:${port}`,
+                requests,
+                realtimeClients,
+                broadcastChange: (type = 'UPDATE') => {
+                    for (const client of realtimeClients) {
+                        if (client.readyState !== 1 || !client.remoteRegistryTopic) {
+                            continue;
+                        }
+
+                        client.send(JSON.stringify({
+                            topic: client.remoteRegistryTopic,
+                            event: 'postgres_changes',
+                            payload: {
+                                ids: [1],
+                                data: {
+                                    schema: 'public',
+                                    table: 'remote_host_targets',
+                                    commit_timestamp: new Date().toISOString(),
+                                    type,
+                                    record: getTarget(),
+                                    old_record: null
+                                }
+                            },
+                            ref: null
+                        }));
+                    }
+                },
+                stop: () => new Promise(done => {
+                    for (const client of realtimeClients) {
+                        try {
+                            client.close();
+                        } catch {
+                            // best effort only
+                        }
+                    }
+                    realtime.close(() => server.close(done));
+                })
+            });
+        });
+    });
+}
+
+function spawnBridge({ bridgePort, remoteHubPort, workspacePath, authRoot, label, supabaseUrl = '', follower = false, publicHost = '' }) {
+    const child = spawn(process.execPath, ['server.js'], {
+        cwd: LOCAL_BRIDGE_DIR,
+        stdio: ['ignore', 'pipe', 'pipe'],
+        windowsHide: true,
+        env: {
+            ...process.env,
+            BRIDGE_PORT: String(bridgePort),
+            BRIDGE_TOKEN,
+            BRIDGE_REQUIRE_TOKEN: '1',
+            MINDEXEC_REMOTE_HUB: '1',
+            REMOTE_HUB_HOST: '127.0.0.1',
+            REMOTE_HUB_PORT: String(remoteHubPort),
+            REMOTE_HUB_PUBLIC_HOST: publicHost,
+            REMOTE_HUB_PAIR_TOKEN: PAIR_TOKEN,
+            WORKSPACE_PATH: workspacePath,
+            MINDEXEC_AUTH_DATA_ROOT: authRoot,
+            MINDEXEC_REMOTE_REGISTRY_FOLLOWER: follower ? '1' : '0',
+            MINDEXEC_REMOTE_REGISTRY_POLL_MS: '10000',
+            MINDEXEC_REMOTE_REGISTRY_FAST_RETRY_MS: '250',
+            MINDEXEC_REMOTE_REGISTRY_INACTIVE_STOP_COUNT: '2',
+            MINDEXEC_REMOTE_REGISTRY_INACTIVE_GRACE_MS: '500',
+            MINDEXEC_REMOTE_REGISTRY_REALTIME_RECONNECT_MS: '250',
+            MINDEXEC_REMOTE_REGISTRY_REALTIME_DEBOUNCE_MS: '100',
+            MINDEXEC_REMOTE_HOST_TARGET_RENEW_MS: '5000',
+            SUPABASE_URL: supabaseUrl,
+            SUPABASE_KEY,
+            NO_COLOR: '1'
+        }
+    });
+
+    let stdout = '';
+    let stderr = '';
+    child.stdout.on('data', chunk => {
+        stdout += chunk.toString();
+    });
+    child.stderr.on('data', chunk => {
+        stderr += chunk.toString();
+    });
+
+    const exitPromise = new Promise(resolve => child.once('exit', resolve));
+    const details = () => `${label} stdout=${stdout}\n${label} stderr=${stderr}`;
+    const stop = async () => {
+        if (child.exitCode === null && !child.killed) {
+            child.kill('SIGTERM');
+            await Promise.race([exitPromise, wait(5000)]);
+            if (child.exitCode === null && !child.killed) {
+                child.kill('SIGKILL');
+            }
+        }
+    };
+
+    return {
+        baseUrl: `http://127.0.0.1:${bridgePort}`,
+        child,
+        details,
+        stop
+    };
+}
+
+async function waitForBridge(bridge) {
+    return await waitFor(async () => {
+        const result = await fetchJson(`${bridge.baseUrl}/api/status`);
+        return result.ok && result.payload?.status === 'ok' ? result.payload : null;
+    }, 30000, `bridge startup\n${bridge.details()}`);
+}
+
+function createSessionPayload(options = {}) {
+    const accessToken = options.accessToken || ACCESS_TOKEN;
+    const refreshToken = options.refreshToken || REFRESH_TOKEN;
+    const expiresAt = options.expiresAt ?? Math.floor(Date.now() / 1000) + 3600;
+    return JSON.stringify({
+        access_token: accessToken,
+        refresh_token: refreshToken,
+        expires_at: expiresAt,
+        user: {
+            id: USER_ID,
+            email: 'remote-registry-follower@example.test'
+        }
+    });
+}
+
+async function writeSession(authRoot, options = {}) {
+    await mkdir(authRoot, { recursive: true });
+    await writeFile(path.join(authRoot, 'supabase-session.json'), createSessionPayload(options), 'utf8');
+}
+
+async function waitForManagedAgent(bridge, managerEndpoint, label, timeoutMs = 20000) {
+    return await waitFor(async () => {
+        const result = await fetchJson(`${bridge.baseUrl}/api/remote/agent/status`);
+        const agent = result.payload;
+        return agent?.running === true
+            && agent?.ready === true
+            && String(agent.manager || '') === managerEndpoint
+            ? agent
+            : null;
+    }, timeoutMs, `${label} managed agent\n${bridge.details()}`);
+}
+
+async function waitForManagedAgentRestart(bridge, managerEndpoint, previousPid, label, timeoutMs = 20000) {
+    return await waitFor(async () => {
+        const result = await fetchJson(`${bridge.baseUrl}/api/remote/agent/status`);
+        const agent = result.payload;
+        return agent?.running === true
+            && agent?.ready === true
+            && String(agent.manager || '') === managerEndpoint
+            && Number(agent.pid || 0) > 0
+            && Number(agent.pid || 0) !== Number(previousPid || 0)
+            ? agent
+            : null;
+    }, timeoutMs, `${label} managed agent restart\n${bridge.details()}`);
+}
+
+async function waitForConnectedDevice(bridge, label) {
+    return await waitFor(async () => {
+        const result = await fetchJson(`${bridge.baseUrl}/api/remote/devices`);
+        return result.payload?.devices?.find(device => device.connected === true) || null;
+    }, 12000, `${label} connected device\n${bridge.details()}`);
+}
+
+function killProcess(pid) {
+    const value = Number(pid || 0);
+    assert.ok(value > 0, `expected positive pid, got ${pid}`);
+    try {
+        process.kill(value, 'SIGTERM');
+    } catch (error) {
+        if (error?.code !== 'ESRCH') {
+            throw error;
+        }
+    }
+}
+
+async function main() {
+    const tempRoot = await mkdtemp(path.join(os.tmpdir(), 'mindexec-remote-registry-smoke-'));
+    let fakeSupabase = null;
+    let renewHost = null;
+    let hostA = null;
+    let hostB = null;
+    let client = null;
+
+    const renewHostBridgePort = await findFreePort();
+    const renewHostRemotePort = await findFreePort();
+    const hostABridgePort = await findFreePort();
+    const hostARemotePort = await findFreePort();
+    const hostBBridgePort = await findFreePort();
+    const hostBRemotePort = await findFreePort();
+    const clientBridgePort = await findFreePort();
+    const clientRemotePort = await findFreePort();
+    const stalePort = await findFreePort();
+    const renewPublicHost = '192.0.2.10';
+    const renewPublicEndpoint = `${renewPublicHost}:${renewHostRemotePort}`;
+    const hostAEndpoint = `127.0.0.1:${hostARemotePort}`;
+    const hostBEndpoint = `127.0.0.1:${hostBRemotePort}`;
+    const staleEndpoint = `127.0.0.1:${stalePort}`;
+    let currentTarget = null;
+
+    try {
+        fakeSupabase = await startFakeSupabase(
+            () => currentTarget,
+            target => {
+                currentTarget = target;
+            });
+
+        const renewHostAuth = path.join(tempRoot, 'auth-renew-host');
+        const hostAAuth = path.join(tempRoot, 'auth-host-a');
+        const hostBAuth = path.join(tempRoot, 'auth-host-b');
+        const clientAuth = path.join(tempRoot, 'auth-client');
+        await writeSession(renewHostAuth);
+        await writeSession(clientAuth, {
+            accessToken: EXPIRED_ACCESS_TOKEN,
+            expiresAt: Math.floor(Date.now() / 1000) - 30
+        });
+
+        renewHost = spawnBridge({
+            bridgePort: renewHostBridgePort,
+            remoteHubPort: renewHostRemotePort,
+            workspacePath: path.join(tempRoot, 'renew-host'),
+            authRoot: renewHostAuth,
+            label: 'renew-host',
+            supabaseUrl: fakeSupabase.url,
+            follower: true,
+            publicHost: renewPublicHost
+        });
+        await waitForBridge(renewHost);
+
+        const renewSetHost = await fetchJson(`${renewHost.baseUrl}/api/remote/host-target`, {
+            method: 'POST',
+            token: BRIDGE_TOKEN,
+            body: JSON.stringify({
+                nodeId: 'remote-registry-renew-node',
+                enabled: true,
+                leaseMs: 60000
+            })
+        });
+        assert.equal(renewSetHost.ok, true, JSON.stringify(renewSetHost.payload));
+        assert.equal(renewSetHost.payload?.ok, true, JSON.stringify(renewSetHost.payload));
+        assert.equal(renewSetHost.payload?.active, true, JSON.stringify(renewSetHost.payload));
+        assert.equal(renewSetHost.payload?.hostTargetRenew?.status, 'active', JSON.stringify(renewSetHost.payload?.hostTargetRenew));
+        assert.equal(currentTarget?.endpoint, renewPublicEndpoint, JSON.stringify(currentTarget));
+        assert.equal(currentTarget?.node_id, 'remote-registry-renew-node', JSON.stringify(currentTarget));
+        await waitFor(() => {
+            const publishCount = fakeSupabase.requests.filter(request =>
+                request.method === 'POST'
+                && request.pathname === '/rest/v1/rpc/set_remote_host_target').length;
+            return publishCount >= 2 ? publishCount : null;
+        }, 8000, `host-target auto renew publish\n${renewHost.details()}`);
+        const beforeResumePublishCount = fakeSupabase.requests.filter(request =>
+            request.method === 'POST'
+            && request.pathname === '/rest/v1/rpc/set_remote_host_target').length;
+        const renewResume = await fetchJson(`${renewHost.baseUrl}/api/remote/system/resume`, {
+            method: 'POST',
+            token: BRIDGE_TOKEN,
+            body: JSON.stringify({
+                driftMs: 65000
+            })
+        });
+        assert.equal(renewResume.ok, true, JSON.stringify(renewResume.payload));
+        assert.equal(renewResume.payload?.ok, true, JSON.stringify(renewResume.payload));
+        assert.equal(renewResume.payload?.remoteSystemResume?.localHost, true, JSON.stringify(renewResume.payload?.remoteSystemResume));
+        await waitFor(() => {
+            const publishCount = fakeSupabase.requests.filter(request =>
+                request.method === 'POST'
+                && request.pathname === '/rest/v1/rpc/set_remote_host_target').length;
+            return publishCount > beforeResumePublishCount ? publishCount : null;
+        }, 8000, `host-target resume republish\n${renewHost.details()}`);
+        const renewStatus = await fetchJson(`${renewHost.baseUrl}/api/status`);
+        assert.equal(renewStatus.payload?.remoteHostTargetRenew?.status, 'active', JSON.stringify(renewStatus.payload?.remoteHostTargetRenew));
+        assert.equal(renewStatus.payload?.remoteHostTargetRenew?.endpoint, renewPublicEndpoint, JSON.stringify(renewStatus.payload?.remoteHostTargetRenew));
+
+        const renewClear = await fetchJson(`${renewHost.baseUrl}/api/remote/host-target`, {
+            method: 'DELETE',
+            token: BRIDGE_TOKEN,
+            body: JSON.stringify({
+                nodeId: 'remote-registry-renew-node'
+            })
+        });
+        assert.equal(renewClear.ok, true, JSON.stringify(renewClear.payload));
+        assert.equal(renewClear.payload?.ok, true, JSON.stringify(renewClear.payload));
+        await renewHost.stop();
+        renewHost = null;
+
+        currentTarget = createRegistryTarget({
+            endpoint: hostAEndpoint,
+            endpointCandidates: [staleEndpoint, hostAEndpoint],
+            leaseId: 'lease-a'
+        });
+
+        hostA = spawnBridge({
+            bridgePort: hostABridgePort,
+            remoteHubPort: hostARemotePort,
+            workspacePath: path.join(tempRoot, 'host-a'),
+            authRoot: hostAAuth,
+            label: 'host-a'
+        });
+        hostB = spawnBridge({
+            bridgePort: hostBBridgePort,
+            remoteHubPort: hostBRemotePort,
+            workspacePath: path.join(tempRoot, 'host-b'),
+            authRoot: hostBAuth,
+            label: 'host-b'
+        });
+        await waitForBridge(hostA);
+        await waitForBridge(hostB);
+
+        client = spawnBridge({
+            bridgePort: clientBridgePort,
+            remoteHubPort: clientRemotePort,
+            workspacePath: path.join(tempRoot, 'client'),
+            authRoot: clientAuth,
+            label: 'client',
+            supabaseUrl: fakeSupabase.url,
+            follower: true
+        });
+        await waitForBridge(client);
+
+        const firstAgent = await waitForManagedAgent(client, hostAEndpoint, 'host-a');
+        assert.equal(firstAgent.usingNpx, false, JSON.stringify(firstAgent));
+        assert.match(String(firstAgent.launcher || ''), /mindexec-remote-fast/i);
+        assert.equal(firstAgent.manager, hostAEndpoint);
+        assert.equal(firstAgent.managerCandidates?.[0], staleEndpoint, JSON.stringify(firstAgent.managerCandidates));
+        assert.ok(
+            fakeSupabase.requests.some(request =>
+                request.method === 'POST'
+                && request.pathname === '/auth/v1/token'),
+            'expected LocalBridge to refresh expired persisted Supabase session without browser involvement');
+        assert.ok(
+            fakeSupabase.requests.some(request =>
+                request.method === 'GET'
+                && request.pathname === '/rest/v1/remote_host_targets'
+                && request.authorization === `Bearer ${REFRESHED_ACCESS_TOKEN}`),
+            'expected registry read to use refreshed access token');
+        await waitForConnectedDevice(hostA, 'host-a');
+        const firstStatus = await fetchJson(`${client.baseUrl}/api/status`);
+        assert.equal(firstStatus.payload?.remoteRegistryRealtime?.subscribed, true, JSON.stringify(firstStatus.payload?.remoteRegistryRealtime));
+        assert.ok(fakeSupabase.realtimeClients.size >= 1, 'expected LocalBridge realtime watcher to connect');
+        const firstPid = Number(firstAgent.pid || 0);
+        assert.ok(firstPid > 0, JSON.stringify(firstAgent));
+
+        const clientResume = await fetchJson(`${client.baseUrl}/api/remote/system/resume`, {
+            method: 'POST',
+            token: BRIDGE_TOKEN,
+            body: JSON.stringify({
+                driftMs: 65000
+            })
+        });
+        assert.equal(clientResume.ok, true, JSON.stringify(clientResume.payload));
+        assert.equal(clientResume.payload?.ok, true, JSON.stringify(clientResume.payload));
+        assert.equal(clientResume.payload?.remoteSystemResume?.registryAgentRestarted, true, JSON.stringify(clientResume.payload?.remoteSystemResume));
+        const resumedAgent = await waitForManagedAgentRestart(client, hostAEndpoint, firstPid, 'host-a after resume', 12000);
+        assert.equal(resumedAgent.usingNpx, false, JSON.stringify(resumedAgent));
+        assert.match(String(resumedAgent.launcher || ''), /mindexec-remote-fast/i);
+        assert.equal(resumedAgent.leaseId, 'lease-a');
+        await waitForConnectedDevice(hostA, 'host-a after resume');
+
+        currentTarget = createRegistryTarget({
+            endpoint: hostBEndpoint,
+            endpointCandidates: [hostBEndpoint],
+            leaseId: 'lease-b'
+        });
+        fakeSupabase.broadcastChange('UPDATE');
+
+        const secondAgent = await waitForManagedAgent(client, hostBEndpoint, 'host-b', 9000);
+        assert.equal(secondAgent.usingNpx, false, JSON.stringify(secondAgent));
+        assert.match(String(secondAgent.launcher || ''), /mindexec-remote-fast/i);
+        assert.equal(secondAgent.manager, hostBEndpoint);
+        assert.equal(secondAgent.leaseId, 'lease-b');
+        await waitForConnectedDevice(hostB, 'host-b');
+
+        await wait(250);
+        currentTarget = null;
+        fakeSupabase.broadcastChange('DELETE');
+        await waitFor(async () => {
+            const status = await fetchJson(`${client.baseUrl}/api/status`);
+            const agent = await fetchJson(`${client.baseUrl}/api/remote/agent/status`);
+            return status.payload?.remoteRegistryFollower?.reason === 'no-active-target-agent-kept'
+                && agent.payload?.running === true
+                && String(agent.payload?.manager || '') === hostBEndpoint
+                ? { status: status.payload.remoteRegistryFollower, agent: agent.payload }
+                : null;
+        }, 4000, `transient no-active-target keeps managed agent\n${client.details()}`);
+
+        currentTarget = createRegistryTarget({
+            endpoint: hostBEndpoint,
+            endpointCandidates: [hostBEndpoint],
+            leaseId: 'lease-b'
+        });
+        fakeSupabase.broadcastChange('INSERT');
+        const restoredAgent = await waitForManagedAgent(client, hostBEndpoint, 'host-b after transient missing target', 9000);
+        assert.equal(Number(restoredAgent.pid || 0), Number(secondAgent.pid || 0), JSON.stringify(restoredAgent));
+
+        const missingAuthWake = await fetchJson(`${client.baseUrl}/api/auth/session`, {
+            method: 'DELETE',
+            token: BRIDGE_TOKEN
+        });
+        assert.equal(missingAuthWake.ok, true, JSON.stringify(missingAuthWake.payload));
+        await waitFor(async () => {
+            const status = await fetchJson(`${client.baseUrl}/api/status`);
+            const agent = await fetchJson(`${client.baseUrl}/api/remote/agent/status`);
+            return status.payload?.remoteRegistryFollower?.reason === 'registry-not-authenticated-agent-kept'
+                && status.payload?.remoteRegistryFollower?.agentKept === true
+                && agent.payload?.running === true
+                && String(agent.payload?.manager || '') === hostBEndpoint
+                && Number(agent.payload?.pid || 0) === Number(secondAgent.pid || 0)
+                ? { status: status.payload.remoteRegistryFollower, agent: agent.payload }
+                : null;
+        }, 4000, `transient missing auth keeps managed agent\n${client.details()}`);
+
+        const restoredAuthWake = await fetchJson(`${client.baseUrl}/api/auth/session`, {
+            method: 'POST',
+            token: BRIDGE_TOKEN,
+            body: JSON.stringify({
+                content: createSessionPayload()
+            })
+        });
+        assert.equal(restoredAuthWake.ok, true, JSON.stringify(restoredAuthWake.payload));
+        const authRestoredAgent = await waitForManagedAgent(client, hostBEndpoint, 'host-b after transient missing auth', 9000);
+        assert.equal(Number(authRestoredAgent.pid || 0), Number(secondAgent.pid || 0), JSON.stringify(authRestoredAgent));
+
+        const secondPid = Number(secondAgent.pid || 0);
+        killProcess(secondPid);
+        const restartedAgent = await waitForManagedAgentRestart(client, hostBEndpoint, secondPid, 'host-b', 12000);
+        assert.equal(restartedAgent.usingNpx, false, JSON.stringify(restartedAgent));
+        assert.match(String(restartedAgent.launcher || ''), /mindexec-remote-fast/i);
+        assert.equal(restartedAgent.leaseId, 'lease-b');
+        await waitForConnectedDevice(hostB, 'host-b after restart');
+
+        currentTarget = {
+            ...currentTarget,
+            active: false,
+            expires_at: new Date(Date.now() - 1000).toISOString()
+        };
+        fakeSupabase.broadcastChange('UPDATE');
+        await wait(700);
+        fakeSupabase.broadcastChange('UPDATE');
+
+        await waitFor(async () => {
+            const status = await fetchJson(`${client.baseUrl}/api/status`);
+            const agent = await fetchJson(`${client.baseUrl}/api/remote/agent/status`);
+            return status.payload?.remoteRegistryFollower?.reason === 'registry-inactive-agent-kept'
+                && status.payload?.remoteRegistryFollower?.agentKept === true
+                && status.payload?.remoteRegistryFollower?.dataPlaneReady === true
+                && agent.payload?.running === true
+                && agent.payload?.ready === true
+                && String(agent.payload?.manager || '') === hostBEndpoint
+                && Number(agent.payload?.pid || 0) === Number(restartedAgent.pid || 0)
+                ? { status: status.payload.remoteRegistryFollower, agent: agent.payload }
+                : null;
+        }, 9000, `registry inactive keeps ready data-plane agent\n${client.details()}`);
+
+        const inactivePid = Number(restartedAgent.pid || 0);
+        killProcess(inactivePid);
+        const recoveredInactiveAgent = await waitForManagedAgentRestart(
+            client,
+            hostBEndpoint,
+            inactivePid,
+            'host-b after inactive target recovery',
+            12000);
+        assert.equal(recoveredInactiveAgent.usingNpx, false, JSON.stringify(recoveredInactiveAgent));
+        assert.match(String(recoveredInactiveAgent.launcher || ''), /mindexec-remote-fast/i);
+        assert.equal(recoveredInactiveAgent.leaseId, 'lease-b');
+        await waitForConnectedDevice(hostB, 'host-b after inactive target recovery');
+        await waitFor(async () => {
+            const status = await fetchJson(`${client.baseUrl}/api/status`);
+            return status.payload?.remoteRegistryFollower?.reason === 'registry-inactive-agent-recovered'
+                && String(status.payload?.remoteRegistryFollower?.targetEndpoint || '') === hostBEndpoint
+                ? status.payload.remoteRegistryFollower
+                : null;
+        }, 4000, `inactive target recovered managed agent\n${client.details()}`);
+        const finalStatus = await fetchJson(`${client.baseUrl}/api/status`);
+        assert.ok(finalStatus.payload?.remoteRegistryRealtime?.changes >= 2, JSON.stringify(finalStatus.payload?.remoteRegistryRealtime));
+        assert.ok(finalStatus.payload?.remoteRegistryRealtime?.wakeups >= 2, JSON.stringify(finalStatus.payload?.remoteRegistryRealtime));
+
+        assert.ok(fakeSupabase.requests.length >= 2, JSON.stringify(fakeSupabase.requests));
+        console.log('Remote registry follower smoke OK');
+    } finally {
+        if (client) await client.stop();
+        if (hostB) await hostB.stop();
+        if (hostA) await hostA.stop();
+        if (renewHost) await renewHost.stop();
+        if (fakeSupabase) await fakeSupabase.stop();
+        await rm(tempRoot, { recursive: true, force: true });
+    }
+}
+
+await main();