moflo 4.10.7 → 4.10.8

package/dist/src/cli/services/daemon-dashboard.js

@@ -16,7 +16,18 @@ import { createServer } from 'node:http';
 import { errorDetail } from '../shared/utils/error-detail.js';
 import { handleMemoryStore, handleMemoryDelete, handleMemoryBatch, handleMemoryGet, handleMemorySearch, handleMemoryList, matchMemoryRpcRoute, } from './daemon-memory-rpc.js';
 import { aggregateClaudeStats, emptyClaudeStatsShape } from './claude-stats.js';
-export const DEFAULT_DASHBOARD_PORT = 3117;
+import { serverPortCandidates, LEGACY_DEFAULT_PORT } from './daemon-port.js';
+import { writeLockPort } from './daemon-lock.js';
+import { findProjectRoot } from './project-root.js';
+import { readOwnMofloVersion } from './daemon-lock.js';
+/**
+ * Legacy default port retained as a re-export of {@link LEGACY_DEFAULT_PORT}
+ * for backward compat with existing importers (`commands/daemon.ts`,
+ * `__tests__/daemon-dashboard.test.ts`). The actual port a daemon binds is
+ * now resolved deterministically per project via `serverPortCandidates()` —
+ * see `daemon-port.ts` and `docs/internal/1145-daemon-port-collision-analysis.md`.
+ */
+export const DEFAULT_DASHBOARD_PORT = LEGACY_DEFAULT_PORT;
 /**
  * Process-wide promise for the shared MemoryAccessor. Memoized as a *promise*
  * (not the resolved value) so concurrent first-callers share a single init
@@ -129,6 +140,27 @@ function tryParseSafe(s) {
         return s;
     }
 }
+/**
+ * Build the `/api/health` response (#1145).
+ *
+ * Identity payload — clients compare `projectRoot` against their own
+ * `findProjectRoot()` and refuse to route to this daemon on mismatch.
+ * Also surfaces `pid`, `version`, and `uptimeMs` for healer-class
+ * diagnostics and orphan-daemon detection.
+ *
+ * Read-only, no-auth, localhost-only (the dashboard binds 127.0.0.1).
+ */
+function handleHealth(daemon, opts) {
+    const status = daemon.getStatus();
+    const startedAt = status.startedAt instanceof Date ? status.startedAt : null;
+    return {
+        status: 'ok',
+        projectRoot: opts.projectRoot ?? findProjectRoot(),
+        pid: status.pid ?? process.pid,
+        version: readOwnMofloVersion() ?? null,
+        uptimeMs: startedAt ? Date.now() - startedAt.getTime() : 0,
+    };
+}
 function handleStatus(daemon) {
     const status = daemon.getStatus();
     // Index config rows by worker type so the row renderer can show a
@@ -244,15 +276,18 @@ function tryParse(s) {
     }
 }
 async function handleMemoryStats() {
-    // Single GROUP BY query — no hardcoded namespace list, no row fetching
-    try {
-        const { getNamespaceCounts } = await import('../memory/memory-initializer.js');
-        const { namespaces, total } = await getNamespaceCounts();
-        return { namespaces, totalEntries: total, available: total > 0 || Object.keys(namespaces).length > 0 };
-    }
-    catch {
-        return { namespaces: {}, totalEntries: 0, available: false };
-    }
+    // Single GROUP BY query — no hardcoded namespace list, no row fetching.
+    // Errors propagate to the request handler's outer try/catch → 500, so
+    // MCP clients see a real failure instead of a silent `totalEntries: 0`.
+    const { getNamespaceCounts } = await import('../memory/memory-initializer.js');
+    const { namespaces, total, withEmbeddings } = await getNamespaceCounts();
+    return {
+        ok: true,
+        namespaces,
+        totalEntries: total,
+        withEmbeddings,
+        available: total > 0 || Object.keys(namespaces).length > 0,
+    };
 }
 /**
  * Build the `/api/claude-stats` response (#1044).
@@ -433,6 +468,11 @@ async function handleRequest(req, res, daemon, opts) {
         if (url === '/') {
             sendHtml(res, DASHBOARD_HTML);
         }
+        else if (url === '/api/health') {
+            // #1145 — identity probe. Clients use this to confirm they're talking
+            // to the daemon for their OWN project before routing memory ops here.
+            sendJson(res, 200, handleHealth(daemon, opts));
+        }
         else if (url === '/api/status') {
             sendJson(res, 200, handleStatus(daemon));
         }
@@ -588,33 +628,62 @@ const MAX_PORT_ATTEMPTS = 10;
 /**
  * Start the dashboard HTTP server.
  *
- * Tries the requested port first, then falls back to port+1, port+2, ...
- * up to MAX_PORT_ATTEMPTS to avoid crashing the daemon when another
- * project's daemon already holds the default port.
+ * Port selection (#1145):
+ *   1. `opts.port`, if explicitly set (CLI `--dashboard-port` flag).
+ *   2. Otherwise `serverPortCandidates(projectRoot)` — deterministic per-
+ *      project port + collision-fallback range.
+ * Both honor `MOFLO_DAEMON_PORT` (collapses the candidate list to one).
+ *
+ * On successful bind the bound port is stamped into `.moflo/daemon.lock`
+ * via `writeLockPort()` so clients can discover it without guessing.
  *
- * @param daemon - WorkerDaemon instance for status data
- * @param opts - Dashboard configuration
- * @returns A handle to stop the server (port reflects the actual bound port)
+ * On bind exhaustion (every candidate in use) the server throws — the
+ * caller is expected to surface the failure rather than stay half-alive
+ * (the silent-trap pattern that produced #1145).
+ *
+ * @returns handle whose `.port` field reflects the actually bound port
  */
 export async function startDashboard(daemon, opts) {
-    const basePort = opts.port;
-    for (let attempt = 0; attempt < MAX_PORT_ATTEMPTS; attempt++) {
-        const port = basePort + attempt;
+    const projectRoot = opts.projectRoot ?? findProjectRoot();
+    const candidates = buildBindCandidates(opts.port, projectRoot, MAX_PORT_ATTEMPTS);
+    let lastErr = null;
+    for (let i = 0; i < candidates.length; i++) {
+        const port = candidates[i];
         try {
-            const handle = await tryListenOnPort(daemon, opts, port);
+            const handle = await tryListenOnPort(daemon, { ...opts, projectRoot }, port);
+            // Stamp the bound port into the lock so clients discover us reliably.
+            // Best-effort: a missing/locked-by-another-pid lock means stamping
+            // is a no-op — the deterministic fallback still works.
+            try {
+                writeLockPort(projectRoot, handle.port);
+            }
+            catch { /* ignore */ }
             return handle;
         }
         catch (err) {
+            lastErr = err;
             const code = err && typeof err === 'object' && 'code' in err ? err.code : '';
-            if (code === 'EADDRINUSE' && attempt < MAX_PORT_ATTEMPTS - 1) {
-                // Port taken — try the next one
+            if (code === 'EADDRINUSE' && i < candidates.length - 1)
                 continue;
-            }
             throw err;
         }
     }
-    // Should be unreachable, but satisfies the type checker
-    throw new Error(`All dashboard ports ${basePort}–${basePort + MAX_PORT_ATTEMPTS - 1} are in use`);
+    // Bind exhaustion — surface so the daemon can hard-fail (#1145 §9.4).
+    throw lastErr ?? new Error(`All dashboard ports (${candidates[0]}…${candidates[candidates.length - 1]}) are in use`);
+}
+/**
+ * Build the ordered list of ports to try.
+ *
+ * When the caller pinned a port (CLI flag), respect it without any
+ * fallback — the consumer pinned it on purpose. When they didn't, use
+ * the deterministic per-project candidates so two projects never collide
+ * silently on a fixed default.
+ */
+function buildBindCandidates(explicitPort, projectRoot, maxAttempts) {
+    if (typeof explicitPort === 'number' && explicitPort > 0 && explicitPort < 65536) {
+        return [explicitPort];
+    }
+    return serverPortCandidates(projectRoot, maxAttempts);
 }
 /**
  * Attempt to bind the dashboard server to a specific port.

package/dist/src/cli/services/daemon-lock.js

@@ -9,9 +9,11 @@
  * and verifying the process command line before trusting a "live" PID.
  */
 import * as fs from 'fs';
-import { dirname, join } from 'path';
+import { dirname, join, sep } from 'path';
 import { fileURLToPath } from 'url';
-import { execSync } from 'child_process';
+import { execFileSync, execSync } from 'child_process';
+import { atomicWriteFileSync } from '../shared/utils/atomic-file-write.js';
+import { normalizeProjectRoot } from './daemon-port.js';
 const LOCK_FILENAME = 'daemon.lock';
 const LOCK_LABEL = 'moflo-daemon';
 /** Resolve the lock file path for a project root. */
@@ -48,6 +50,18 @@ export function readOwnMofloVersion() {
 /**
  * Try to acquire the daemon lock atomically.
  *
+ * Before the EEXIST atomic write, runs a same-project orphan scan (#1150):
+ * enumerates moflo daemon processes whose command line is rooted at THIS
+ * project's CLI binary. If any are found that the lock doesn't account for,
+ * they get SIGTERM'd (3s graceful → SIGKILL) before we try to acquire.
+ * Catches the failure mode where the lock was unlinked (e.g. by an old
+ * doctor-fix or a crashed shutdown handler) but the daemon process is still
+ * alive — without this scan, a fresh daemon would spawn alongside it.
+ *
+ * Tests can opt out of the scan via `MOFLO_TEST_SKIP_ORPHAN_SCAN=1` (the same
+ * env-var also disables the post-spawn fallback in #1086 so vitest workers
+ * don't pay the 8s Windows introspection cost on every acquire).
+ *
  * @returns `{ acquired: true }` on success,
  *          `{ acquired: false, holder: pid }` if another daemon owns the lock.
  */
@@ -58,6 +72,14 @@ export function acquireDaemonLock(projectRoot, pid = process.pid) {
     if (!fs.existsSync(stateDir)) {
         fs.mkdirSync(stateDir, { recursive: true });
     }
+    // #1150 — same-project orphan scan. Runs BEFORE the atomic write because
+    // (a) it lets us reclaim the lock after a crash that left the daemon
+    //     running but the lock unlinked, and
+    // (b) the second-spawn case (lock absent, prior daemon alive) is exactly
+    //     the failure mode that produced two-daemons-per-project in #1145's
+    //     waxstack audit.
+    const lockHolderPid = readLockPayload(lock)?.pid;
+    reapSameProjectOrphans(projectRoot, pid, lockHolderPid);
     const payload = {
         pid,
         startedAt: Date.now(),
@@ -108,6 +130,48 @@ export function releaseDaemonLock(projectRoot, pid = process.pid, force = false)
         safeUnlink(lock);
     }
 }
+/**
+ * Stamp the daemon's bound HTTP port into the lock file (#1145).
+ *
+ * Called by `daemon-dashboard.startDashboard()` after a successful bind so
+ * clients can read the actual port (vs. guessing the fixed default and
+ * silently hitting another project's daemon).
+ *
+ * Best-effort by design:
+ *   - Missing lock → no-op (the daemon didn't acquire the lock; this is
+ *     a test or unusual startup path).
+ *   - Lock owned by a different PID → no-op (we don't overwrite locks we
+ *     don't own).
+ *   - Write failure → swallowed (the daemon still serves; clients fall
+ *     back to the deterministic port resolution).
+ *
+ * Returns `true` on a successful stamp, `false` otherwise. The boolean is
+ * informational — production callers don't branch on it.
+ */
+export function writeLockPort(projectRoot, port, pid = process.pid) {
+    if (!Number.isFinite(port) || port < 1 || port > 65535)
+        return false;
+    const lock = lockPath(projectRoot);
+    const existing = readLockPayload(lock);
+    if (!existing)
+        return false;
+    if (existing.pid !== pid)
+        return false;
+    if (existing.port === port)
+        return true;
+    const updated = { ...existing, port };
+    try {
+        // Atomic write-then-rename: a client reading mid-write never sees a
+        // truncated JSON. The vulnerable window is precisely a re-stamp after
+        // a daemon recycle on a different port, when clients are likeliest
+        // to be probing the lock for the new port.
+        atomicWriteFileSync(lock, JSON.stringify(updated));
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
 /**
  * Atomically transfer the daemon lock to a new PID (e.g. parent → child).
  *
@@ -125,6 +189,9 @@ export function transferDaemonLock(projectRoot, newPid, fromPid = process.pid) {
         startedAt: Date.now(),
         label: LOCK_LABEL,
         version: existing.version ?? readOwnMofloVersion(),
+        // Preserve the port field across PID transfers (#1145) — the child
+        // process inherits the parent's binding, so the port is still valid.
+        ...(existing.port != null ? { port: existing.port } : {}),
     };
     try {
         // Atomic overwrite — no unlink/recreate gap
@@ -214,11 +281,33 @@ function safeUnlink(path) {
 function isProcessAlive(pid) {
     try {
         process.kill(pid, 0);
-        return true;
     }
     catch {
         return false;
     }
+    // Linux zombie handling: `kill(pid, 0)` succeeds for zombie processes
+    // (exited but not yet reaped). A zombie can't write to the DB or hold
+    // a lock, so treating it as alive exhausts the kill window polling a
+    // corpse. Read /proc/<pid>/stat and treat 'Z' as dead — same logic as
+    // bin/lib/daemon-recycler.mjs:51-69. The case surfaces in tests AND
+    // in any production path where the daemon and our process share a
+    // parent (foreground mode, vitest worker that spawned a child); on
+    // standard detached-daemon production paths init reaps so this is a
+    // no-op there.
+    if (process.platform === 'linux') {
+        try {
+            const stat = fs.readFileSync(`/proc/${pid}/stat`, 'utf-8');
+            const lastParen = stat.lastIndexOf(')');
+            if (lastParen !== -1 && stat.charAt(lastParen + 2) === 'Z')
+                return false;
+        }
+        catch (err) {
+            if (err && err.code === 'ENOENT')
+                return false;
+            // /proc unavailable — fall through with the kill(0) verdict.
+        }
+    }
+    return true;
 }
 /**
  * Cross-platform check: is this PID actually a moflo/claude-flow daemon?
@@ -293,4 +382,302 @@ function isDaemonProcessUnix(pid) {
         return true; // fallback
     }
 }
+// ---------------------------------------------------------------------------
+// Same-project orphan detection (#1150)
+// ---------------------------------------------------------------------------
+/**
+ * Enumerate moflo daemon node processes whose command line is rooted at THIS
+ * project's CLI binary (consumer install OR dogfood-source).
+ *
+ * Returns PIDs. Used by `acquireDaemonLock` (pre-acquire reap) and the
+ * `daemon-orphan` doctor check/fix.
+ *
+ * Matching strategy: cmdline must contain BOTH a moflo daemon marker
+ * (`daemon ... start` + `moflo`/`claude-flow`) AND one of the two
+ * project-rooted cli.js paths. This keeps daemons for OTHER projects out of
+ * scope — they have their own project root and (post-#1145) their own port.
+ *
+ * Cross-platform:
+ *   - Windows: `Get-CimInstance Win32_Process` via PowerShell (single shell
+ *     invocation that returns all node processes with command lines).
+ *   - Linux:   `/proc/<pid>/cmdline` walk.
+ *   - macOS:   `ps -axo pid,command` (no `/proc`).
+ *
+ * Falls back to `[]` if the platform probe fails — better to spawn an extra
+ * daemon than to wrongly kill a foreign-project one.
+ */
+export function findProjectDaemonPids(projectRoot, opts = {}) {
+    if (process.env.MOFLO_TEST_SKIP_ORPHAN_SCAN === '1')
+        return [];
+    const candidates = projectCliCandidates(projectRoot);
+    if (candidates.length === 0)
+        return [];
+    let processes;
+    if (opts.pidsHint) {
+        processes = opts.pidsHint;
+    }
+    else {
+        try {
+            if (process.platform === 'win32')
+                processes = listMofloDaemonsWindows();
+            else if (process.platform === 'linux')
+                processes = listMofloDaemonsLinux();
+            else
+                processes = listMofloDaemonsUnix();
+        }
+        catch {
+            return [];
+        }
+    }
+    return processes.filter(p => cmdlineMatchesProject(p.cmdline, candidates)).map(p => p.pid);
+}
+/**
+ * Candidate absolute paths for THIS project's daemon CLI binary.
+ *
+ * Returns the two layouts moflo ships with — consumer install
+ * (`<root>/node_modules/moflo/bin/cli.js`) and dogfood-source
+ * (`<root>/bin/cli.js`) — normalised for case-insensitive substring match
+ * via the shared `normalizeProjectRoot` helper (which realpaths + lowercases
+ * on Windows, matching the #1145 daemon-identity surface so the two checks
+ * agree about which root a process belongs to).
+ *
+ * Never includes the bare `projectRoot` prefix as a match candidate: an
+ * unrelated process (editor, npm script) whose cmdline happens to mention
+ * the project path would otherwise false-positive once the daemon-marker
+ * regex also incidentally matched.
+ */
+function projectCliCandidates(projectRoot) {
+    const cliRelatives = [
+        join('node_modules', 'moflo', 'bin', 'cli.js'),
+        join('bin', 'cli.js'),
+    ];
+    // realpath both the input AND each candidate path — on macOS the
+    // command-line records the realpath'd form (`/private/var/folders/...`)
+    // while the cwd-rooted candidate stays under `/var/folders/...`.
+    const normRoot = normalizeProjectRoot(projectRoot);
+    const out = new Set();
+    for (const rel of cliRelatives) {
+        // Apply normalizeForMatch ON TOP of normalizeProjectRoot so the
+        // substring match also tolerates mixed separators in the spawn-recorded
+        // cmdline ("\\" vs "/"). `normalizeProjectRoot` realpaths + lowercases
+        // on Windows; `normalizeForMatch` collapses slashes.
+        out.add(normalizeForMatch(normalizeProjectRoot(join(projectRoot, rel))));
+        out.add(normalizeForMatch(normalizeProjectRoot(join(normRoot, rel))));
+    }
+    return Array.from(out).filter(s => s.length > 0);
+}
+function cmdlineMatchesProject(cmdline, candidates) {
+    // Daemon marker — must look like a moflo daemon to even consider matching.
+    if (!/daemon[\s\S]{0,40}start/i.test(cmdline))
+        return false;
+    if (!/moflo|claude-flow/i.test(cmdline))
+        return false;
+    // Substring match against case-folded, slash-normalised forms.
+    const norm = normalizeForMatch(cmdline);
+    return candidates.some(c => c.length > 0 && norm.includes(c));
+}
+function normalizeForMatch(p) {
+    // Collapse mixed slashes to the OS separator so the substring check works
+    // regardless of how spawn quoted the path. Case-fold on Windows.
+    const collapsed = p.replace(/[\\/]+/g, sep);
+    return process.platform === 'win32' ? collapsed.toLowerCase() : collapsed;
+}
+function listMofloDaemonsWindows() {
+    // Use execFileSync so the PS command is passed as a single argument vector
+    // (no cmd.exe quote-mangling). The `@($res)` array-cast handles the
+    // single-result case (`ConvertTo-Json` emits a bare object otherwise, and
+    // `-AsArray` is PS 6+ only). The `if ($res)` guard avoids emitting an
+    // empty string that JSON.parse can't read.
+    const script = "$res = Get-CimInstance Win32_Process -Filter \"Name='node.exe'\" " +
+        "| Select-Object ProcessId, CommandLine; " +
+        "if ($res) { @($res) | ConvertTo-Json -Compress -Depth 3 }";
+    let raw;
+    try {
+        raw = execFileSync('powershell', ['-NoProfile', '-Command', script], {
+            encoding: 'utf-8',
+            timeout: 10000,
+            windowsHide: true,
+            maxBuffer: 16 * 1024 * 1024,
+        });
+    }
+    catch {
+        return [];
+    }
+    if (!raw.trim())
+        return [];
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        return [];
+    }
+    if (!Array.isArray(parsed))
+        parsed = [parsed];
+    return parsed
+        .filter((p) => p && typeof p.CommandLine === 'string' && p.CommandLine.length > 0)
+        .map((p) => ({ pid: Number(p.ProcessId), cmdline: String(p.CommandLine) }))
+        .filter((p) => Number.isFinite(p.pid) && p.pid > 0);
+}
+function listMofloDaemonsLinux() {
+    const out = [];
+    let entries;
+    try {
+        entries = fs.readdirSync('/proc');
+    }
+    catch {
+        return [];
+    }
+    for (const entry of entries) {
+        if (!/^\d+$/.test(entry))
+            continue;
+        const pid = parseInt(entry, 10);
+        try {
+            // cmdline is NUL-separated argv. Replace NULs with spaces for matching.
+            const raw = fs.readFileSync(`/proc/${pid}/cmdline`, 'utf-8');
+            if (!raw)
+                continue;
+            const cmdline = raw.replace(/\0+$/, '').replace(/\0/g, ' ');
+            if (!/\bnode\b/i.test(cmdline) && !/\.js\b/.test(cmdline))
+                continue;
+            out.push({ pid, cmdline });
+        }
+        catch { /* process exited mid-scan / no perms — skip */ }
+    }
+    return out;
+}
+function listMofloDaemonsUnix() {
+    let raw;
+    try {
+        // -axww = all processes including session leaders (BSD form portable to
+        // macOS/Linux), unlimited line width so long cmdlines don't truncate.
+        // execFileSync (no shell) keeps quoting consistent with the rest of the
+        // codebase.
+        raw = execFileSync('ps', ['-axww', '-o', 'pid=,command='], {
+            encoding: 'utf-8',
+            timeout: 5000,
+            maxBuffer: 16 * 1024 * 1024,
+        });
+    }
+    catch {
+        return [];
+    }
+    const out = [];
+    for (const line of raw.split('\n')) {
+        const trimmed = line.trim();
+        if (!trimmed)
+            continue;
+        const sepIdx = trimmed.indexOf(' ');
+        if (sepIdx === -1)
+            continue;
+        const pid = parseInt(trimmed.slice(0, sepIdx), 10);
+        if (!Number.isFinite(pid) || pid <= 0)
+            continue;
+        const cmdline = trimmed.slice(sepIdx + 1).trim();
+        if (!/\bnode\b/i.test(cmdline) && !/\.js\b/.test(cmdline))
+            continue;
+        out.push({ pid, cmdline });
+    }
+    return out;
+}
+/**
+ * Same-project orphan reap. Called from `acquireDaemonLock` BEFORE the atomic
+ * write. PIDs that match the lock-holder OR our own process are skipped.
+ *
+ * Best-effort: failures during kill are swallowed because the next step
+ * (atomic exclusive write of the lock) is the source of truth — if the
+ * orphan survives, the lock-acquire still fails cleanly and the caller
+ * reports a stale lock-holder rather than spawning a duplicate.
+ *
+ * Exported for the `Daemon Orphan` healer fix which reuses the same logic.
+ */
+export function reapSameProjectOrphans(projectRoot, ownPid = process.pid, lockHolderPid, 
+/**
+ * Pre-computed project-daemon PIDs. Skips re-running the OS process scan
+ * when the caller already has them — the `Daemon Orphan` doctor-fix
+ * computes them once via `findProjectDaemonPids` and then reuses the
+ * same list here.
+ */
+pidsHint) {
+    const reaped = [];
+    const survived = [];
+    const allPids = pidsHint ?? findProjectDaemonPids(projectRoot);
+    const foreignPids = allPids.filter(p => {
+        if (p === ownPid)
+            return false;
+        if (lockHolderPid != null && p === lockHolderPid)
+            return false;
+        return true;
+    });
+    if (foreignPids.length === 0)
+        return { reaped, survived };
+    for (const pid of foreignPids) {
+        if (terminateOrphan(pid))
+            reaped.push(pid);
+        else
+            survived.push(pid);
+    }
+    return { reaped, survived };
+}
+/**
+ * Terminate a same-project daemon orphan: SIGTERM → 3s graceful poll →
+ * SIGKILL (POSIX) / `taskkill /F /T` (Windows). Returns true once the PID
+ * is no longer alive.
+ */
+function terminateOrphan(pid) {
+    if (!isProcessAlive(pid))
+        return true;
+    try {
+        if (process.platform === 'win32') {
+            // No SIGTERM equivalent for our detached Node daemon on Windows — go
+            // straight to /F /T (same shape as bin/lib/daemon-recycler.mjs and
+            // killBackgroundDaemon). execFileSync keeps args un-shell-quoted.
+            try {
+                execFileSync('taskkill', ['/F', '/T', '/PID', String(pid)], {
+                    windowsHide: true,
+                    timeout: 3000,
+                });
+            }
+            catch { /* already exiting */ }
+        }
+        else {
+            try {
+                process.kill(pid, 'SIGTERM');
+            }
+            catch { /* already dead */ }
+        }
+    }
+    catch { /* fall through to liveness poll */ }
+    // Graceful window
+    const gracefulDeadline = Date.now() + 3000;
+    while (Date.now() < gracefulDeadline && isProcessAlive(pid)) {
+        sleepSyncMs(100);
+    }
+    if (!isProcessAlive(pid))
+        return true;
+    // Escalate to SIGKILL on POSIX (Windows already used /F)
+    if (process.platform !== 'win32') {
+        try {
+            process.kill(pid, 'SIGKILL');
+        }
+        catch { /* already dead */ }
+    }
+    const killDeadline = Date.now() + 1000;
+    while (Date.now() < killDeadline && isProcessAlive(pid)) {
+        sleepSyncMs(100);
+    }
+    return !isProcessAlive(pid);
+}
+function sleepSyncMs(ms) {
+    try {
+        const buf = new Int32Array(new SharedArrayBuffer(4));
+        Atomics.wait(buf, 0, 0, ms);
+    }
+    catch {
+        // SharedArrayBuffer disabled (rare — exotic Node flags); fall back to a
+        // tight loop. Caller's wait windows are bounded so this is safe.
+        const deadline = Date.now() + ms;
+        while (Date.now() < deadline) { /* spin */ }
+    }
+}
 //# sourceMappingURL=daemon-lock.js.map