moflo 4.10.7 → 4.10.9

package/dist/src/cli/services/daemon-lock.js

@@ -9,9 +9,11 @@
  * and verifying the process command line before trusting a "live" PID.
  */
 import * as fs from 'fs';
-import { dirname, join } from 'path';
+import { dirname, join, sep } from 'path';
 import { fileURLToPath } from 'url';
-import { execSync } from 'child_process';
+import { execFileSync, execSync } from 'child_process';
+import { atomicWriteFileSync } from '../shared/utils/atomic-file-write.js';
+import { normalizeProjectRoot } from './daemon-port.js';
 const LOCK_FILENAME = 'daemon.lock';
 const LOCK_LABEL = 'moflo-daemon';
 /** Resolve the lock file path for a project root. */
@@ -48,6 +50,18 @@ export function readOwnMofloVersion() {
 /**
  * Try to acquire the daemon lock atomically.
  *
+ * Before the EEXIST atomic write, runs a same-project orphan scan (#1150):
+ * enumerates moflo daemon processes whose command line is rooted at THIS
+ * project's CLI binary. If any are found that the lock doesn't account for,
+ * they get SIGTERM'd (3s graceful → SIGKILL) before we try to acquire.
+ * Catches the failure mode where the lock was unlinked (e.g. by an old
+ * doctor-fix or a crashed shutdown handler) but the daemon process is still
+ * alive — without this scan, a fresh daemon would spawn alongside it.
+ *
+ * Tests can opt out of the scan via `MOFLO_TEST_SKIP_ORPHAN_SCAN=1` (the same
+ * env-var also disables the post-spawn fallback in #1086 so vitest workers
+ * don't pay the 8s Windows introspection cost on every acquire).
+ *
  * @returns `{ acquired: true }` on success,
  *          `{ acquired: false, holder: pid }` if another daemon owns the lock.
  */
@@ -58,6 +72,14 @@ export function acquireDaemonLock(projectRoot, pid = process.pid) {
     if (!fs.existsSync(stateDir)) {
         fs.mkdirSync(stateDir, { recursive: true });
     }
+    // #1150 — same-project orphan scan. Runs BEFORE the atomic write because
+    // (a) it lets us reclaim the lock after a crash that left the daemon
+    //     running but the lock unlinked, and
+    // (b) the second-spawn case (lock absent, prior daemon alive) is exactly
+    //     the failure mode that produced two-daemons-per-project in #1145's
+    //     waxstack audit.
+    const lockHolderPid = readLockPayload(lock)?.pid;
+    reapSameProjectOrphans(projectRoot, pid, lockHolderPid);
     const payload = {
         pid,
         startedAt: Date.now(),
@@ -108,6 +130,48 @@ export function releaseDaemonLock(projectRoot, pid = process.pid, force = false)
         safeUnlink(lock);
     }
 }
+/**
+ * Stamp the daemon's bound HTTP port into the lock file (#1145).
+ *
+ * Called by `daemon-dashboard.startDashboard()` after a successful bind so
+ * clients can read the actual port (vs. guessing the fixed default and
+ * silently hitting another project's daemon).
+ *
+ * Best-effort by design:
+ *   - Missing lock → no-op (the daemon didn't acquire the lock; this is
+ *     a test or unusual startup path).
+ *   - Lock owned by a different PID → no-op (we don't overwrite locks we
+ *     don't own).
+ *   - Write failure → swallowed (the daemon still serves; clients fall
+ *     back to the deterministic port resolution).
+ *
+ * Returns `true` on a successful stamp, `false` otherwise. The boolean is
+ * informational — production callers don't branch on it.
+ */
+export function writeLockPort(projectRoot, port, pid = process.pid) {
+    if (!Number.isFinite(port) || port < 1 || port > 65535)
+        return false;
+    const lock = lockPath(projectRoot);
+    const existing = readLockPayload(lock);
+    if (!existing)
+        return false;
+    if (existing.pid !== pid)
+        return false;
+    if (existing.port === port)
+        return true;
+    const updated = { ...existing, port };
+    try {
+        // Atomic write-then-rename: a client reading mid-write never sees a
+        // truncated JSON. The vulnerable window is precisely a re-stamp after
+        // a daemon recycle on a different port, when clients are likeliest
+        // to be probing the lock for the new port.
+        atomicWriteFileSync(lock, JSON.stringify(updated));
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
 /**
  * Atomically transfer the daemon lock to a new PID (e.g. parent → child).
  *
@@ -125,6 +189,9 @@ export function transferDaemonLock(projectRoot, newPid, fromPid = process.pid) {
         startedAt: Date.now(),
         label: LOCK_LABEL,
         version: existing.version ?? readOwnMofloVersion(),
+        // Preserve the port field across PID transfers (#1145) — the child
+        // process inherits the parent's binding, so the port is still valid.
+        ...(existing.port != null ? { port: existing.port } : {}),
     };
     try {
         // Atomic overwrite — no unlink/recreate gap
@@ -214,11 +281,33 @@ function safeUnlink(path) {
 function isProcessAlive(pid) {
     try {
         process.kill(pid, 0);
-        return true;
     }
     catch {
         return false;
     }
+    // Linux zombie handling: `kill(pid, 0)` succeeds for zombie processes
+    // (exited but not yet reaped). A zombie can't write to the DB or hold
+    // a lock, so treating it as alive exhausts the kill window polling a
+    // corpse. Read /proc/<pid>/stat and treat 'Z' as dead — same logic as
+    // bin/lib/daemon-recycler.mjs:51-69. The case surfaces in tests AND
+    // in any production path where the daemon and our process share a
+    // parent (foreground mode, vitest worker that spawned a child); on
+    // standard detached-daemon production paths init reaps so this is a
+    // no-op there.
+    if (process.platform === 'linux') {
+        try {
+            const stat = fs.readFileSync(`/proc/${pid}/stat`, 'utf-8');
+            const lastParen = stat.lastIndexOf(')');
+            if (lastParen !== -1 && stat.charAt(lastParen + 2) === 'Z')
+                return false;
+        }
+        catch (err) {
+            if (err && err.code === 'ENOENT')
+                return false;
+            // /proc unavailable — fall through with the kill(0) verdict.
+        }
+    }
+    return true;
 }
 /**
  * Cross-platform check: is this PID actually a moflo/claude-flow daemon?
@@ -293,4 +382,302 @@ function isDaemonProcessUnix(pid) {
         return true; // fallback
     }
 }
+// ---------------------------------------------------------------------------
+// Same-project orphan detection (#1150)
+// ---------------------------------------------------------------------------
+/**
+ * Enumerate moflo daemon node processes whose command line is rooted at THIS
+ * project's CLI binary (consumer install OR dogfood-source).
+ *
+ * Returns PIDs. Used by `acquireDaemonLock` (pre-acquire reap) and the
+ * `daemon-orphan` doctor check/fix.
+ *
+ * Matching strategy: cmdline must contain BOTH a moflo daemon marker
+ * (`daemon ... start` + `moflo`/`claude-flow`) AND one of the two
+ * project-rooted cli.js paths. This keeps daemons for OTHER projects out of
+ * scope — they have their own project root and (post-#1145) their own port.
+ *
+ * Cross-platform:
+ *   - Windows: `Get-CimInstance Win32_Process` via PowerShell (single shell
+ *     invocation that returns all node processes with command lines).
+ *   - Linux:   `/proc/<pid>/cmdline` walk.
+ *   - macOS:   `ps -axo pid,command` (no `/proc`).
+ *
+ * Falls back to `[]` if the platform probe fails — better to spawn an extra
+ * daemon than to wrongly kill a foreign-project one.
+ */
+export function findProjectDaemonPids(projectRoot, opts = {}) {
+    if (process.env.MOFLO_TEST_SKIP_ORPHAN_SCAN === '1')
+        return [];
+    const candidates = projectCliCandidates(projectRoot);
+    if (candidates.length === 0)
+        return [];
+    let processes;
+    if (opts.pidsHint) {
+        processes = opts.pidsHint;
+    }
+    else {
+        try {
+            if (process.platform === 'win32')
+                processes = listMofloDaemonsWindows();
+            else if (process.platform === 'linux')
+                processes = listMofloDaemonsLinux();
+            else
+                processes = listMofloDaemonsUnix();
+        }
+        catch {
+            return [];
+        }
+    }
+    return processes.filter(p => cmdlineMatchesProject(p.cmdline, candidates)).map(p => p.pid);
+}
+/**
+ * Candidate absolute paths for THIS project's daemon CLI binary.
+ *
+ * Returns the two layouts moflo ships with — consumer install
+ * (`<root>/node_modules/moflo/bin/cli.js`) and dogfood-source
+ * (`<root>/bin/cli.js`) — normalised for case-insensitive substring match
+ * via the shared `normalizeProjectRoot` helper (which realpaths + lowercases
+ * on Windows, matching the #1145 daemon-identity surface so the two checks
+ * agree about which root a process belongs to).
+ *
+ * Never includes the bare `projectRoot` prefix as a match candidate: an
+ * unrelated process (editor, npm script) whose cmdline happens to mention
+ * the project path would otherwise false-positive once the daemon-marker
+ * regex also incidentally matched.
+ */
+function projectCliCandidates(projectRoot) {
+    const cliRelatives = [
+        join('node_modules', 'moflo', 'bin', 'cli.js'),
+        join('bin', 'cli.js'),
+    ];
+    // realpath both the input AND each candidate path — on macOS the
+    // command-line records the realpath'd form (`/private/var/folders/...`)
+    // while the cwd-rooted candidate stays under `/var/folders/...`.
+    const normRoot = normalizeProjectRoot(projectRoot);
+    const out = new Set();
+    for (const rel of cliRelatives) {
+        // Apply normalizeForMatch ON TOP of normalizeProjectRoot so the
+        // substring match also tolerates mixed separators in the spawn-recorded
+        // cmdline ("\\" vs "/"). `normalizeProjectRoot` realpaths + lowercases
+        // on Windows; `normalizeForMatch` collapses slashes.
+        out.add(normalizeForMatch(normalizeProjectRoot(join(projectRoot, rel))));
+        out.add(normalizeForMatch(normalizeProjectRoot(join(normRoot, rel))));
+    }
+    return Array.from(out).filter(s => s.length > 0);
+}
+function cmdlineMatchesProject(cmdline, candidates) {
+    // Daemon marker — must look like a moflo daemon to even consider matching.
+    if (!/daemon[\s\S]{0,40}start/i.test(cmdline))
+        return false;
+    if (!/moflo|claude-flow/i.test(cmdline))
+        return false;
+    // Substring match against case-folded, slash-normalised forms.
+    const norm = normalizeForMatch(cmdline);
+    return candidates.some(c => c.length > 0 && norm.includes(c));
+}
+function normalizeForMatch(p) {
+    // Collapse mixed slashes to the OS separator so the substring check works
+    // regardless of how spawn quoted the path. Case-fold on Windows.
+    const collapsed = p.replace(/[\\/]+/g, sep);
+    return process.platform === 'win32' ? collapsed.toLowerCase() : collapsed;
+}
+function listMofloDaemonsWindows() {
+    // Use execFileSync so the PS command is passed as a single argument vector
+    // (no cmd.exe quote-mangling). The `@($res)` array-cast handles the
+    // single-result case (`ConvertTo-Json` emits a bare object otherwise, and
+    // `-AsArray` is PS 6+ only). The `if ($res)` guard avoids emitting an
+    // empty string that JSON.parse can't read.
+    const script = "$res = Get-CimInstance Win32_Process -Filter \"Name='node.exe'\" " +
+        "| Select-Object ProcessId, CommandLine; " +
+        "if ($res) { @($res) | ConvertTo-Json -Compress -Depth 3 }";
+    let raw;
+    try {
+        raw = execFileSync('powershell', ['-NoProfile', '-Command', script], {
+            encoding: 'utf-8',
+            timeout: 10000,
+            windowsHide: true,
+            maxBuffer: 16 * 1024 * 1024,
+        });
+    }
+    catch {
+        return [];
+    }
+    if (!raw.trim())
+        return [];
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        return [];
+    }
+    if (!Array.isArray(parsed))
+        parsed = [parsed];
+    return parsed
+        .filter((p) => p && typeof p.CommandLine === 'string' && p.CommandLine.length > 0)
+        .map((p) => ({ pid: Number(p.ProcessId), cmdline: String(p.CommandLine) }))
+        .filter((p) => Number.isFinite(p.pid) && p.pid > 0);
+}
+function listMofloDaemonsLinux() {
+    const out = [];
+    let entries;
+    try {
+        entries = fs.readdirSync('/proc');
+    }
+    catch {
+        return [];
+    }
+    for (const entry of entries) {
+        if (!/^\d+$/.test(entry))
+            continue;
+        const pid = parseInt(entry, 10);
+        try {
+            // cmdline is NUL-separated argv. Replace NULs with spaces for matching.
+            const raw = fs.readFileSync(`/proc/${pid}/cmdline`, 'utf-8');
+            if (!raw)
+                continue;
+            const cmdline = raw.replace(/\0+$/, '').replace(/\0/g, ' ');
+            if (!/\bnode\b/i.test(cmdline) && !/\.js\b/.test(cmdline))
+                continue;
+            out.push({ pid, cmdline });
+        }
+        catch { /* process exited mid-scan / no perms — skip */ }
+    }
+    return out;
+}
+function listMofloDaemonsUnix() {
+    let raw;
+    try {
+        // -axww = all processes including session leaders (BSD form portable to
+        // macOS/Linux), unlimited line width so long cmdlines don't truncate.
+        // execFileSync (no shell) keeps quoting consistent with the rest of the
+        // codebase.
+        raw = execFileSync('ps', ['-axww', '-o', 'pid=,command='], {
+            encoding: 'utf-8',
+            timeout: 5000,
+            maxBuffer: 16 * 1024 * 1024,
+        });
+    }
+    catch {
+        return [];
+    }
+    const out = [];
+    for (const line of raw.split('\n')) {
+        const trimmed = line.trim();
+        if (!trimmed)
+            continue;
+        const sepIdx = trimmed.indexOf(' ');
+        if (sepIdx === -1)
+            continue;
+        const pid = parseInt(trimmed.slice(0, sepIdx), 10);
+        if (!Number.isFinite(pid) || pid <= 0)
+            continue;
+        const cmdline = trimmed.slice(sepIdx + 1).trim();
+        if (!/\bnode\b/i.test(cmdline) && !/\.js\b/.test(cmdline))
+            continue;
+        out.push({ pid, cmdline });
+    }
+    return out;
+}
+/**
+ * Same-project orphan reap. Called from `acquireDaemonLock` BEFORE the atomic
+ * write. PIDs that match the lock-holder OR our own process are skipped.
+ *
+ * Best-effort: failures during kill are swallowed because the next step
+ * (atomic exclusive write of the lock) is the source of truth — if the
+ * orphan survives, the lock-acquire still fails cleanly and the caller
+ * reports a stale lock-holder rather than spawning a duplicate.
+ *
+ * Exported for the `Daemon Orphan` healer fix which reuses the same logic.
+ */
+export function reapSameProjectOrphans(projectRoot, ownPid = process.pid, lockHolderPid, 
+/**
+ * Pre-computed project-daemon PIDs. Skips re-running the OS process scan
+ * when the caller already has them — the `Daemon Orphan` doctor-fix
+ * computes them once via `findProjectDaemonPids` and then reuses the
+ * same list here.
+ */
+pidsHint) {
+    const reaped = [];
+    const survived = [];
+    const allPids = pidsHint ?? findProjectDaemonPids(projectRoot);
+    const foreignPids = allPids.filter(p => {
+        if (p === ownPid)
+            return false;
+        if (lockHolderPid != null && p === lockHolderPid)
+            return false;
+        return true;
+    });
+    if (foreignPids.length === 0)
+        return { reaped, survived };
+    for (const pid of foreignPids) {
+        if (terminateOrphan(pid))
+            reaped.push(pid);
+        else
+            survived.push(pid);
+    }
+    return { reaped, survived };
+}
+/**
+ * Terminate a same-project daemon orphan: SIGTERM → 3s graceful poll →
+ * SIGKILL (POSIX) / `taskkill /F /T` (Windows). Returns true once the PID
+ * is no longer alive.
+ */
+function terminateOrphan(pid) {
+    if (!isProcessAlive(pid))
+        return true;
+    try {
+        if (process.platform === 'win32') {
+            // No SIGTERM equivalent for our detached Node daemon on Windows — go
+            // straight to /F /T (same shape as bin/lib/daemon-recycler.mjs and
+            // killBackgroundDaemon). execFileSync keeps args un-shell-quoted.
+            try {
+                execFileSync('taskkill', ['/F', '/T', '/PID', String(pid)], {
+                    windowsHide: true,
+                    timeout: 3000,
+                });
+            }
+            catch { /* already exiting */ }
+        }
+        else {
+            try {
+                process.kill(pid, 'SIGTERM');
+            }
+            catch { /* already dead */ }
+        }
+    }
+    catch { /* fall through to liveness poll */ }
+    // Graceful window
+    const gracefulDeadline = Date.now() + 3000;
+    while (Date.now() < gracefulDeadline && isProcessAlive(pid)) {
+        sleepSyncMs(100);
+    }
+    if (!isProcessAlive(pid))
+        return true;
+    // Escalate to SIGKILL on POSIX (Windows already used /F)
+    if (process.platform !== 'win32') {
+        try {
+            process.kill(pid, 'SIGKILL');
+        }
+        catch { /* already dead */ }
+    }
+    const killDeadline = Date.now() + 1000;
+    while (Date.now() < killDeadline && isProcessAlive(pid)) {
+        sleepSyncMs(100);
+    }
+    return !isProcessAlive(pid);
+}
+function sleepSyncMs(ms) {
+    try {
+        const buf = new Int32Array(new SharedArrayBuffer(4));
+        Atomics.wait(buf, 0, 0, ms);
+    }
+    catch {
+        // SharedArrayBuffer disabled (rare — exotic Node flags); fall back to a
+        // tight loop. Caller's wait windows are bounded so this is safe.
+        const deadline = Date.now() + ms;
+        while (Date.now() < deadline) { /* spin */ }
+    }
+}
 //# sourceMappingURL=daemon-lock.js.map

package/dist/src/cli/services/daemon-port.js

@@ -0,0 +1,252 @@
+/**
+ * Daemon port resolution — single source of truth for the moflo daemon's
+ * HTTP port.
+ *
+ * Before #1145, `DEFAULT_DASHBOARD_PORT` in `daemon-dashboard.ts` and
+ * `DEFAULT_DAEMON_PORT` in `daemon-write-client.ts` were two separate `3117`
+ * literals. The server tried 3117 → 3126 on `EADDRINUSE`; the client always
+ * POSTed to 3117. When a second moflo project's daemon bound 3118+, that
+ * project's clients still hit 3117 → silent cross-project read/write
+ * routing. See `docs/internal/1145-daemon-port-collision-analysis.md`.
+ *
+ * This module collapses both literals into one resolver. Every entry point
+ * MUST go through `resolveProjectPort()` (or read the `port` field a
+ * already-bound daemon recorded in `.moflo/daemon.lock`).
+ *
+ * Resolution precedence — server and client agree:
+ *   1. `MOFLO_DAEMON_PORT` env override (consumer pin / smoke harness — wins)
+ *   2. Lock-file `port` field (client-only — server WRITES this after bind)
+ *   3. `resolveProjectPort(projectRoot)` — sha256(path) → 33000+(hash%1000)
+ *   4. `LEGACY_DEFAULT_PORT` (3117) — read-only fallback for ancient locks
+ *      with no port field and no env override; warns once via stderr
+ *
+ * @module cli/services/daemon-port
+ */
+import { createHash } from 'node:crypto';
+import { existsSync, readFileSync, realpathSync } from 'node:fs';
+import { join } from 'node:path';
+import * as http from 'node:http';
+/**
+ * Deterministic port range. 33000-33999 — clear of every common dev-server
+ * port (3000, 3001, 4000, 5000, 5173, 8000, 8080), every well-known service
+ * (≤ 1024), and the moflo legacy default (3117). Collision probability across
+ * N active projects is ~N/1000; the identity check (`isDaemonIdentityMatch`)
+ * is the safety net when collisions do hit.
+ */
+export const PORT_RANGE_BASE = 33000;
+export const PORT_RANGE_SIZE = 1000;
+/**
+ * Legacy default port — used by daemons that haven't been upgraded past
+ * 4.10.7 and locks that never recorded a port field. Kept as a read-only
+ * fallback so a fresh client probing an old daemon still finds it; clients
+ * that fall through to this path emit a one-time deprecation warn.
+ *
+ * NEW code must NEVER reference this constant outside `daemon-port.ts`. The
+ * regression guard at `tests/system/no-fixed-3117.test.ts` enforces.
+ */
+export const LEGACY_DEFAULT_PORT = 3117;
+/**
+ * Resolve the canonical port for a given project root.
+ *
+ * Pure function — no I/O. Same project path → same port across daemon
+ * restarts, across processes, across machines (the hash is deterministic).
+ *
+ * @param projectRoot absolute path to the project root (use `findProjectRoot()`)
+ * @returns port in `[PORT_RANGE_BASE, PORT_RANGE_BASE + PORT_RANGE_SIZE)`
+ */
+export function resolveProjectPort(projectRoot) {
+    const envPort = readEnvPortOverride();
+    if (envPort != null)
+        return envPort;
+    const hash = createHash('sha256').update(projectRoot).digest();
+    return PORT_RANGE_BASE + (hash.readUInt16BE(0) % PORT_RANGE_SIZE);
+}
+/**
+ * Read `MOFLO_DAEMON_PORT` from the environment. Returns the parsed port
+ * (1-65535) or `null` if unset/invalid.
+ *
+ * Exported so callers can short-circuit lock-file reads when the env is
+ * pinned — useful in the smoke harness and CI where the env is the
+ * authoritative pin.
+ */
+export function readEnvPortOverride() {
+    const raw = process.env.MOFLO_DAEMON_PORT;
+    if (!raw)
+        return null;
+    const n = parseInt(raw, 10);
+    if (!Number.isFinite(n) || n < 1 || n > 65535)
+        return null;
+    return n;
+}
+/**
+ * Resolve the daemon port a CLIENT should connect to for a given project.
+ *
+ * Reads `.moflo/daemon.lock` to discover the actual bound port — if the
+ * daemon collided with another project in its deterministic-range bucket
+ * and the dashboard retry loop bumped it forward, the lock reflects reality
+ * and the client follows. Falls back to `resolveProjectPort` when the lock
+ * is absent (daemon not yet started), the lock has no `port` field (old
+ * daemon predating #1145), or the port reads as invalid.
+ *
+ * Never throws — every I/O failure degrades to the deterministic fallback.
+ */
+export function resolveClientPort(projectRoot) {
+    const envPort = readEnvPortOverride();
+    if (envPort != null)
+        return envPort;
+    try {
+        const lockFile = join(projectRoot, '.moflo', 'daemon.lock');
+        if (existsSync(lockFile)) {
+            const raw = readFileSync(lockFile, 'utf-8');
+            const lock = JSON.parse(raw);
+            const lockPort = typeof lock?.port === 'number' ? lock.port : null;
+            if (lockPort && Number.isFinite(lockPort) && lockPort > 0 && lockPort < 65536) {
+                return lockPort;
+            }
+        }
+    }
+    catch {
+        // Corrupt or unreadable lock — fall through to deterministic port.
+    }
+    return resolveProjectPort(projectRoot);
+}
+/**
+ * Build the list of ports the SERVER should try, in order, when starting
+ * the daemon. First entry is the deterministic port; the rest are the
+ * collision-fallback range. Capped at `PORT_RANGE_SIZE` so the loop can
+ * never wrap past the bucket.
+ *
+ * If the env override is set, the list collapses to that single port —
+ * the consumer pinned it on purpose; respect their choice and hard-fail
+ * if it's already in use.
+ */
+export function serverPortCandidates(projectRoot, maxAttempts = 10) {
+    const envPort = readEnvPortOverride();
+    if (envPort != null)
+        return [envPort];
+    const base = resolveProjectPort(projectRoot);
+    const attempts = Math.min(Math.max(1, maxAttempts), PORT_RANGE_SIZE);
+    const ports = [];
+    for (let i = 0; i < attempts; i++) {
+        ports.push(PORT_RANGE_BASE + ((base - PORT_RANGE_BASE + i) % PORT_RANGE_SIZE));
+    }
+    return ports;
+}
+// ============================================================================
+// Identity probe — shared by client + healer (#1145)
+// ============================================================================
+/**
+ * Normalize project root paths for identity comparison.
+ *
+ *   - Resolve symlinks via `realpathSync`. macOS aliases `/var/folders`
+ *     → `/private/var/folders`; one side of the daemon/client pair may
+ *     resolve the symlink and the other may not, producing false-positive
+ *     identity mismatches on otherwise-matching project roots (caught by
+ *     the consumer-smoke harness on macOS + Ubuntu after the original
+ *     #1145 fix). Ubuntu hits the same shape via `/tmp` symlinks under
+ *     certain mount configurations.
+ *   - Lowercase on Windows so `C:\Users\...` and `c:\users\...` compare
+ *     equal. POSIX is case-sensitive — pass through.
+ *
+ * Never throws — a path that doesn't exist (or that we lack permission
+ * to stat) falls back to the input string. The fallback case is safe
+ * because the symlink-mismatch class only fires on paths that DO exist
+ * (both daemon and client just resolved them).
+ */
+export function normalizeProjectRoot(p) {
+    let resolved = p;
+    try {
+        resolved = realpathSync(p);
+    }
+    catch { /* path doesn't exist / EACCES — use input */ }
+    return process.platform === 'win32' ? resolved.toLowerCase() : resolved;
+}
+/**
+ * Send `GET /api/health` to `127.0.0.1:<port>` and parse the daemon's
+ * identity payload. Never throws — every failure mode maps to a
+ * `DaemonIdentityProbe` variant.
+ *
+ * Shared by `daemon-write-client.ts` (per-request safety net) and
+ * `doctor-checks-config.ts` (`checkDaemonIdentity` subcheck).
+ */
+export function probeDaemonHealth(port, timeoutMs) {
+    return new Promise((resolve) => {
+        let done = false;
+        const finish = (r) => {
+            if (done)
+                return;
+            done = true;
+            resolve(r);
+        };
+        const req = http.get({ host: '127.0.0.1', port, path: '/api/health', timeout: timeoutMs }, (res) => {
+            const status = res.statusCode ?? 0;
+            if (status === 404) {
+                res.resume();
+                finish({ kind: 'legacy' });
+                return;
+            }
+            if (status !== 200) {
+                res.resume();
+                finish({ kind: 'unreachable' });
+                return;
+            }
+            let buf = '';
+            res.setEncoding('utf8');
+            res.on('data', (chunk) => { buf += chunk; });
+            res.on('end', () => {
+                try {
+                    const data = JSON.parse(buf);
+                    if (typeof data?.projectRoot === 'string' && data.projectRoot.length > 0) {
+                        finish({ kind: 'identity', projectRoot: data.projectRoot });
+                        return;
+                    }
+                    // 200 but no identity field — pre-#1145 daemon that 200s on
+                    // every URL. Same handling as a 404.
+                    finish({ kind: 'legacy' });
+                }
+                catch {
+                    finish({ kind: 'legacy' });
+                }
+            });
+            res.on('error', () => finish({ kind: 'unreachable' }));
+        });
+        req.on('error', () => finish({ kind: 'unreachable' }));
+        req.on('timeout', () => { req.destroy(); finish({ kind: 'unreachable' }); });
+    });
+}
+/** Retry backoff schedule for HTTP liveness probes (#1163 — Windows CI race). */
+const PROBE_RETRY_BACKOFF_MS = [50, 200, 800];
+/**
+ * {@link probeDaemonHealth} with retry on transient `unreachable` results.
+ *
+ * The bare one-shot probe was tripping in CI when a daemon was mid-boot on
+ * Windows: the lockfile said v4.10.8 was alive but the HTTP server hadn't
+ * accepted /api/health yet, and the doctor check raised "unreachable" inside
+ * the 1500ms window. This wrapper retries 3× at 50/200/800 ms — total
+ * worst-case ~1s extra — and only on `unreachable`. `identity` and `legacy`
+ * are terminal: a daemon answering with a different project root or 404 is
+ * a real signal, not a race.
+ *
+ * Mirrors the retry pattern from `bin/lib/file-sync.mjs:syncWithRetry`
+ * (`feedback_transient_retry_circuit_breaker` — every transient-error op
+ * uses 50/200/800ms backoff).
+ *
+ * Worst-case elapsed = (PROBE_RETRY_BACKOFF_MS.length + 1) × timeoutMs
+ * + sum(PROBE_RETRY_BACKOFF_MS). For doctor's 1500ms timeout that's
+ * 4 × 1500 + 1050 ≈ 7s, fully off the hot path; callers picking a tighter
+ * timeout should account for the 4× multiplier.
+ */
+export async function probeDaemonHealthWithRetry(port, timeoutMs) {
+    let last = { kind: 'unreachable' };
+    const maxAttempts = PROBE_RETRY_BACKOFF_MS.length + 1;
+    for (let attempt = 0; attempt < maxAttempts; attempt++) {
+        if (attempt > 0) {
+            await new Promise((resolve) => setTimeout(resolve, PROBE_RETRY_BACKOFF_MS[attempt - 1]));
+        }
+        last = await probeDaemonHealth(port, timeoutMs);
+        if (last.kind !== 'unreachable')
+            return last;
+    }
+    return last;
+}
+//# sourceMappingURL=daemon-port.js.map