moflo 4.9.1 → 4.9.3

package/bin/session-start-launcher.mjs

@@ -11,7 +11,7 @@ import { spawn, execFileSync } from 'child_process';
 import { existsSync, readFileSync, writeFileSync, copyFileSync, unlinkSync, readdirSync, mkdirSync, statSync } from 'fs';
 import { resolve, dirname, join } from 'path';
 import { fileURLToPath } from 'url';
-import { migrateClaudeFlowToMoflo, migrateMemoryDbToMoflo, mofloDir } from './lib/moflo-paths.mjs';
+import { mofloDir } from './lib/moflo-paths.mjs';
 import { repairMemoryDbIfCorrupt } from './lib/db-repair.mjs';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
@@ -60,6 +60,48 @@ function emitMutation(action, details) {
   }
 }
 
+// Stderr counterpart to emitMutation for non-fatal failures (#854). Every
+// previously-bare `catch {}` in the upgrade flow is routed through here so
+// partial-migration regressions can never go silent again. The inner try
+// guards against a broken stderr pipe — writing the failure itself must
+// never throw, otherwise a fast session-end would surface as a crash.
+function emitWarning(message) {
+  try {
+    process.stderr.write(`moflo: ${message}\n`);
+  } catch { /* stderr write must not throw */ }
+}
+function errMessage(err) {
+  return err && err.message ? err.message : String(err);
+}
+
+// Manifest schema (#854 hardening). Originally `string[]`; now `{path,size}[]`
+// so the launcher can detect *content* drift, not just *missing-file* drift.
+// Reading accepts both forms — a legacy v1 manifest is reported via
+// `isLegacy=true` so the drift check forces one re-sync to migrate to v2,
+// closing the failure mode where a v4.9.2 launcher writes a stamp+manifest
+// in stage 1 of an upgrade and the v4.9.3 launcher (with this fix) sees
+// `installedVersion === cachedVersion` + no file-missing drift, then skips
+// section 3 leaving stale `gate.cjs` etc. stuck.
+function readInstallManifest(manifestPath) {
+  let raw;
+  try { raw = readFileSync(manifestPath, 'utf-8'); } catch { return { entries: [], isLegacy: false }; }
+  let parsed;
+  try { parsed = JSON.parse(raw); } catch { return { entries: [], isLegacy: false }; }
+  if (!Array.isArray(parsed)) return { entries: [], isLegacy: false };
+  let isLegacy = false;
+  const entries = [];
+  for (const item of parsed) {
+    if (typeof item === 'string') {
+      isLegacy = true;
+      entries.push({ path: item, size: null });
+    } else if (item && typeof item === 'object' && typeof item.path === 'string') {
+      entries.push({ path: item.path, size: typeof item.size === 'number' ? item.size : null });
+    }
+    // malformed entries are silently dropped — not surfaceable, never written by us
+  }
+  return { entries, isLegacy };
+}
+
 const plural = (n, word) => `${n} ${word}${n === 1 ? '' : 's'}`;
 
 // Captured inside the upgrade/drift branch so the post-spawn notice writer
@@ -116,56 +158,21 @@ try {
   unlinkSync(join(mofloDir(projectRoot), 'upgrade-notice.json'));
 } catch { /* non-fatal — file usually doesn't exist */ }
 
-// ── 0. LEGACY state migration (#699, #735) ──────────────────────────────────
-// Consumers upgrading from older moflo builds (inherited from upstream Ruflo)
-// get a one-time auto-migration of LEGACY `.claude-flow/` → `.moflo/` so claim
-// files, models cache, metrics, and the version stamp survive the rename.
-// The migration helper is idempotent — see bin/lib/moflo-paths.mjs for the
-// algorithm.
+// ── 0. Legacy whole-DB / directory migrations have been retired (#851) ─────
+// LEGACY-V2: Pre-#851 the launcher renamed `.claude-flow/` → `.moflo/` and
+// byte-copied `.swarm/memory.db` → `.moflo/moflo.db` on every session start.
+// Both blocks ran silently against a daemon that was still holding the old
+// paths in memory, leaving consumers with ghost runtime files reappearing
+// in legacy dirs and a `.gitignore` deletion that exposed 30+ daemon-state
+// files for commit. See docs/moflo-4.9.1-upgrade-experience-2026-05-02.md
+// for the full UX failure report.
 //
-// Staged removal contract (#735):
-//   1. THIS release ships Phase 1 (writers redirected to `.moflo/`) + Phase 2 // LEGACY
-//      (this migration call moves stragglers + warns on collisions).
-//   2. The release AFTER Phase 1 is steady-state should hard-delete any
-//      remaining empty `.claude-flow/` directory — until then, the helper // LEGACY
-//      drops the dir naturally once everything's been moved.
-// LEGACY: every emit below stops firing once `.claude-flow/` is gone.
-try {
-  const cfMigration = migrateClaudeFlowToMoflo(projectRoot);
-  if (cfMigration?.migrated) {
-    const count = cfMigration.movedCount ?? 0;
-    emitMutation(`migrated ${plural(count, 'entry')} from legacy .claude-flow/`); // LEGACY
-  }
-  // Surface collisions so users notice that BOTH locations now hold the same
-  // subdir name (most often `models/` after a partial pre-#735 migration).
-  // Manual cleanup is needed — moflo refuses to silently choose.
-  if ((cfMigration?.collisions?.length ?? 0) > 0) {
-    const collisionMsg = 'kept legacy .claude-flow/ entries to avoid clobbering .moflo/'; // LEGACY
-    emitMutation(collisionMsg, `collisions: ${cfMigration.collisions.join(', ')}`);
-  }
-} catch {
-  // Non-fatal — anything left behind by the migration just means it runs
-  // again next session. Better to keep launching than to block on it.
-}
-
-// ── 0b. LEGACY memory DB relocation (#727) ──────────────────────────────────
-// Run BEFORE long-lived sql.js consumers (MCP server, daemon) — see the
-// `migrateMemoryDbToMoflo` JSDoc for the copy-verify-delete contract and
-// the sql.js write-back hazard.
-try {
-  const dbMigration = migrateMemoryDbToMoflo(projectRoot);
-  if (dbMigration?.migrated) {
-    const detail = dbMigration.hnswMoved
-      ? '.swarm/memory.db → .moflo/moflo.db (with hnsw.index)'
-      : '.swarm/memory.db → .moflo/moflo.db';
-    emitMutation('relocated memory db', detail);
-    if (dbMigration.reason === 'rename-failed') {
-      emitMutation('legacy .swarm/memory.db remains', 'rename to .bak failed — flo doctor will warn');
-    }
-  }
-} catch {
-  // Non-fatal — failed migration leaves both DBs in place; next session retries.
-}
+// The version-bump-gated cherry-pick now lives inside section 3 (which is
+// already the gate on the `.moflo/moflo-version` stamp). It stops the daemon
+// first, then `INSERT OR IGNORE`s only the user-authored `learnings` /
+// `knowledge` namespaces — every other DB row is derived and rebuilds via
+// the indexers. LEGACY-V2 directories (`.swarm/`, `.claude-flow/`) are left
+// in place as recovery sources; users delete them at their leisure.
 
 // ── 0c. Memory DB index repair (#743) ───────────────────────────────────────
 // The .moflo/moflo.db SQLite file accumulates index corruption ("row N missing
@@ -215,16 +222,14 @@ function fireAndForget(cmd, args, label) {
   }
 }
 
-// Stop the daemon recorded in `lockFile` (if any) and start a fresh one. Used
-// from two recycle paths in this launcher: (a) the version-bump branch when
-// installed moflo just changed, and (b) the stale-daemon branch when the
-// running daemon predates the current install by a meaningful margin.
+// Stop the daemon recorded in `lockFile` (if any) without restarting. Used by
+// the upgrade flow before any DB work — the daemon must not be holding old
+// path resolution in memory, and a concurrent sql.js flush would clobber the
+// cherry-picked rows. Returns true when a live PID was actually killed.
 //
-// Reads the lock, SIGTERMs the recorded PID, removes the lock, and fires a
-// `daemon start --quiet` against `node_modules/moflo/bin/cli.js`. Every
-// failure mode (no lock, dead PID, missing CLI) is silently absorbed — the
-// recycle is best-effort and must never block session start.
-function recycleDaemon(lockFile, label) {
+// Section 4's `hooks.mjs session-start` spawn is responsible for starting a
+// fresh daemon under the current code; this function intentionally does not.
+function stopDaemon(lockFile) {
   if (!existsSync(lockFile)) return false;
   let stalePid = null;
   try {
@@ -235,16 +240,20 @@ function recycleDaemon(lockFile, label) {
     try { process.kill(stalePid, 'SIGTERM'); } catch { /* already dead */ }
   }
   try { unlinkSync(lockFile); } catch { /* non-fatal */ }
-  // Respawn only if a live daemon was actually recorded — no point starting
-  // one when there wasn't one before.
-  if (stalePid !== null) {
-    const localCliPath = resolve(projectRoot, 'node_modules/moflo/bin/cli.js');
-    if (existsSync(localCliPath)) {
-      fireAndForget('node', [localCliPath, 'daemon', 'start', '--quiet'], label);
-    }
-    return true;
+  return stalePid !== null;
+}
+
+// Stop-and-restart helper for the stale-daemon branch (section 3a-pre). The
+// version-bump branch uses stopDaemon directly + relies on section 4 for the
+// fresh start.
+function recycleDaemon(lockFile, label) {
+  const stopped = stopDaemon(lockFile);
+  if (!stopped) return false;
+  const localCliPath = resolve(projectRoot, 'node_modules/moflo/bin/cli.js');
+  if (existsSync(localCliPath)) {
+    fireAndForget('node', [localCliPath, 'daemon', 'start', '--quiet'], label);
   }
-  return false;
+  return true;
 }
 
 // ── 2. Reset workflow state for new session ──────────────────────────────────
@@ -279,7 +288,11 @@ try {
     if (scriptsMatch) autoUpdateConfig.scripts = scriptsMatch[1] === 'true';
     if (helpersMatch) autoUpdateConfig.helpers = helpersMatch[1] === 'true';
   }
-} catch { /* non-fatal — use defaults (all true) */ }
+} catch (err) {
+  // Defaults (all true) keep the upgrade flow alive but the user should
+  // see when their moflo.yaml fails to parse (#854).
+  emitWarning(`moflo.yaml parse failed (${errMessage(err)}) — using defaults`);
+}
 
 try {
   const mofloPkgPath = resolve(projectRoot, 'node_modules/moflo/package.json');
@@ -289,18 +302,27 @@ try {
     let cachedVersion = '';
     try { cachedVersion = readFileSync(versionStampPath, 'utf-8').trim(); } catch {}
 
-    // Drift healing: re-sync if any previously-installed file is missing, even
-    // when version stamp matches. Guards against out-of-band deletions (manual
-    // rm, botched merges, dedup commits, etc.) that would otherwise silently
-    // leave .claude/scripts/ incomplete until the next moflo upgrade.
+    // Drift healing: re-sync if any previously-installed file is missing
+    // OR has drifted in size since we last wrote it. Guards against:
+    //   - out-of-band deletions (manual rm, botched merges, dedup commits)
+    //   - stale-content drift (a prior partial migration left the file at
+    //     pre-upgrade content even though it still exists — #854)
+    //   - legacy v1 manifests written by an older launcher (force one
+    //     re-sync to migrate to v2 so subsequent runs can size-check)
     const manifestPath = resolve(projectRoot, '.moflo', 'installed-files.json');
-    let manifestDrifted = false;
-    try {
-      const prev = JSON.parse(readFileSync(manifestPath, 'utf-8'));
-      if (Array.isArray(prev)) {
-        manifestDrifted = prev.some(f => !existsSync(resolve(projectRoot, f)));
+    const { entries: priorEntries, isLegacy: manifestIsLegacy } = readInstallManifest(manifestPath);
+    let manifestDrifted = manifestIsLegacy;
+    if (!manifestDrifted) {
+      for (const { path: rel, size } of priorEntries) {
+        const abs = resolve(projectRoot, rel);
+        if (!existsSync(abs)) { manifestDrifted = true; break; }
+        if (size !== null) {
+          try {
+            if (statSync(abs).size !== size) { manifestDrifted = true; break; }
+          } catch { manifestDrifted = true; break; }
+        }
       }
-    } catch { /* no manifest yet — version check handles first install */ }
+    }
 
     if (installedVersion !== cachedVersion || manifestDrifted) {
       if (installedVersion !== cachedVersion) {
@@ -326,6 +348,63 @@ try {
       // migration). See #738 — section 3f flips this to a 2-min "completed"
       // badge once work finishes (TTL rationale at the constants above).
       writeUpgradeNotice('in-progress');
+
+      // Stop the daemon BEFORE any DB writes (#851). It was started under the
+      // previous moflo image and holds old path resolution + module cache in
+      // memory; a concurrent sql.js flush would clobber the cherry-picked
+      // rows below, and old-path writes would resurrect ghost files in legacy
+      // dirs. Section 4's `hooks.mjs session-start` spawns a fresh daemon
+      // under the current code once 3g writes the version stamp.
+      const upgradeDaemonLock = resolve(projectRoot, '.moflo', 'daemon.lock');
+      if (stopDaemon(upgradeDaemonLock)) {
+        emitMutation('stopped daemon for upgrade', 'will restart fresh after upgrade work');
+      }
+
+      // Cherry-pick durable rows from any legacy DBs (#851). Replaces the
+      // pre-#851 full-DB byte-copy migration. The service is idempotent
+      // (INSERT OR IGNORE on UNIQUE(namespace, key)) so an aborted launcher
+      // re-runs cleanly without duplicate rows. Sources are read-only —
+      // .swarm/memory.db is preserved as a recovery source.
+      try {
+        const cherryPickPaths = [
+          resolve(projectRoot, 'node_modules/moflo/dist/src/cli/services/cherry-pick-learnings.js'),
+          resolve(projectRoot, 'dist/src/cli/services/cherry-pick-learnings.js'),
+        ];
+        const cherryPickPath = cherryPickPaths.find((p) => existsSync(p));
+        if (cherryPickPath) {
+          const mod = await import(`file://${cherryPickPath.replace(/\\/g, '/')}`);
+          if (typeof mod.cherryPickLearningsFromLegacy === 'function') {
+            const result = await mod.cherryPickLearningsFromLegacy({ projectRoot });
+            if (result.copied > 0) {
+              emitMutation(
+                'copied learnings forward',
+                `${plural(result.copied, 'learning/knowledge entry')} cherry-picked from legacy db`,
+              );
+            }
+            // LEGACY-V2: One-time hint that legacy dirs are recoverable.
+            // Only emit when the user actually has legacy state — silent
+            // fast-path for fresh installs and consumers who already cleaned
+            // up. The legacy dirs are intentionally never auto-deleted; they
+            // exist as recovery sources for the cherry-pick (#851).
+            const hasLegacy =
+              existsSync(resolve(projectRoot, '.swarm', 'memory.db')) || // LEGACY-V2
+              existsSync(resolve(projectRoot, '.swarm', 'memory.db.bak')) || // LEGACY-V2
+              existsSync(resolve(projectRoot, '.claude-flow')); // LEGACY-V2
+            if (hasLegacy) {
+              emitMutation(
+                'legacy .swarm/ + .claude-flow/ left in place', // LEGACY-V2
+                'safe to delete — derived data rebuilds on demand',
+              );
+            }
+          }
+        }
+      } catch (err) {
+        try {
+          const msg = err && err.message ? err.message : String(err);
+          process.stderr.write(`cherry-pick learnings skipped: ${msg}\n`);
+        } catch { /* stderr write must not throw */ }
+      }
+
       const binDir = resolve(projectRoot, 'node_modules/moflo/bin');
 
       // ── Manifest-based auto-update ──────────────────────────────────────
@@ -342,23 +421,86 @@ try {
       //  3. That's it — cleanup is automatic on the next upgrade
       // ────────────────────────────────────────────────────────────────────
 
-      // Load the previous manifest so we can diff after syncing
-      let previousManifest = [];
-      try { previousManifest = JSON.parse(readFileSync(manifestPath, 'utf-8')); } catch { /* ok */ }
+      // Load the previous manifest so we can diff after syncing.
+      // Both v1 (string[]) and v2 ({path,size}[]) are normalized to entries
+      // by readInstallManifest — the cleanup loop only needs the path field.
+      const { entries: previousManifest } = readInstallManifest(manifestPath);
 
       // Track every file we install this round
       const currentManifest = [];
+      // Per-file copy failures used to be invisible (#854): a Windows file
+      // lock / AV real-time scan / concurrent helper invocation would EBUSY
+      // the copy, the bare catch swallowed it, and the file stayed at its
+      // pre-upgrade content forever because it was never recorded in the
+      // manifest. Surface failures on stderr — Claude Code captures
+      // session-start stderr as additionalContext so the user sees them too.
+      const syncFailures = [];
+
+      // Standard retry with exponential backoff + circuit breaker for the
+      // transient error class (EBUSY / EPERM / EACCES — Windows file lock,
+      // AV real-time scan, concurrent helper invocation). Hard errors
+      // (ENOENT, etc.) fall through immediately. Once 5 distinct files have
+      // exhausted retries the circuit opens and the tail of the sync runs
+      // with maxAttempts=1 so a sick host (AV mid-scan over node_modules)
+      // doesn't compound the wall-clock cost. Async setTimeout — never
+      // busy-wait in a session-start hook (CPU pinning during EBUSY backoff
+      // is the worst possible response when the OS is the bottleneck).
+      const TRANSIENT_CODES = new Set(['EBUSY', 'EPERM', 'EACCES']);
+      const RETRY_BACKOFF_MS = [50, 200, 800];
+      const CIRCUIT_BREAK_THRESHOLD = 5;
+      let circuitOpen = false;
+      const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+      async function syncWithRetry(operation) {
+        const maxAttempts = circuitOpen ? 1 : RETRY_BACKOFF_MS.length + 1;
+        let lastErr = null;
+        let lastCode = null;
+        for (let attempt = 0; attempt < maxAttempts; attempt++) {
+          if (attempt > 0) await sleep(RETRY_BACKOFF_MS[attempt - 1]);
+          try {
+            operation();
+            return { ok: true };
+          } catch (err) {
+            lastErr = err;
+            lastCode = err && err.code ? err.code : null;
+            if (!TRANSIENT_CODES.has(lastCode)) break;
+          }
+        }
+        if (!circuitOpen && syncFailures.length + 1 >= CIRCUIT_BREAK_THRESHOLD) {
+          circuitOpen = true;
+        }
+        return { ok: false, err: lastErr, code: lastCode };
+      }
 
-      /** Copy src → dest if src exists, record in manifest. */
-      function syncFile(src, dest, manifestKey) {
-        if (existsSync(src)) {
-          try { copyFileSync(src, dest); currentManifest.push(manifestKey); } catch { /* non-fatal */ }
+      /** Copy src → dest if src exists, record `{path, size}` in manifest.
+       * Retries the transient error class with backoff (#854); failures land
+       * in syncFailures for the post-block stderr summary. The recorded size
+       * is read from the just-written destination so a subsequent launcher
+       * can detect content drift via size mismatch. */
+      function recordManifestEntry(manifestKey, dest) {
+        let size = null;
+        try { size = statSync(dest).size; } catch { /* size left null — drift check still works on file-existence */ }
+        currentManifest.push({ path: manifestKey, size });
+      }
+      async function syncFile(src, dest, manifestKey) {
+        if (!existsSync(src)) return;
+        const result = await syncWithRetry(() => copyFileSync(src, dest));
+        if (result.ok) {
+          recordManifestEntry(manifestKey, dest);
+          return;
         }
+        const tail = TRANSIENT_CODES.has(result.code)
+          ? ` (retried ${RETRY_BACKOFF_MS.length}× after ${result.code}${circuitOpen ? '; circuit open' : ''})`
+          : '';
+        syncFailures.push({ key: manifestKey, message: `${errMessage(result.err)}${tail}` });
       }
 
       // Version changed — sync scripts from bin/
       if (autoUpdateConfig.scripts) {
         const scriptsDir = resolve(projectRoot, '.claude/scripts');
+        // Ensure the destination dir exists — first-install consumers may
+        // not have it yet, in which case every copyFileSync below would
+        // silently ENOENT (#854).
+        if (!existsSync(scriptsDir)) mkdirSync(scriptsDir, { recursive: true });
         const scriptFiles = [
           'hooks.mjs', 'session-start-launcher.mjs', 'index-guidance.mjs',
           'build-embeddings.mjs', 'generate-code-map.mjs', 'semantic-search.mjs',
@@ -366,7 +508,7 @@ try {
           'setup-project.mjs', 'run-migrations.mjs',
         ];
         for (const file of scriptFiles) {
-          syncFile(resolve(binDir, file), resolve(scriptsDir, file), `.claude/scripts/${file}`);
+          await syncFile(resolve(binDir, file), resolve(scriptsDir, file), `.claude/scripts/${file}`);
         }
 
         // Sync lib/ subdirectory (process-manager.mjs, registry-cleanup.cjs, etc.)
@@ -377,7 +519,7 @@ try {
         if (existsSync(libSrcDir)) {
           if (!existsSync(libDestDir)) mkdirSync(libDestDir, { recursive: true });
           for (const file of readdirSync(libSrcDir)) {
-            syncFile(resolve(libSrcDir, file), resolve(libDestDir, file), `.claude/scripts/lib/${file}`);
+            await syncFile(resolve(libSrcDir, file), resolve(libDestDir, file), `.claude/scripts/lib/${file}`);
           }
         }
 
@@ -391,7 +533,8 @@ try {
           let migrationEntries;
           try {
             migrationEntries = readdirSync(migrationsSrcDir, { recursive: true, withFileTypes: true });
-          } catch {
+          } catch (err) {
+            emitWarning(`migrations source readdir failed (${errMessage(err)})`);
             migrationEntries = [];
           }
           for (const entry of migrationEntries) {
@@ -400,8 +543,10 @@ try {
             const absSrc = resolve(parent, entry.name);
             const rel = absSrc.slice(migrationsSrcDir.length + 1).split(/[\\/]/).join('/');
             const absDest = resolve(migrationsDestDir, rel);
-            try { mkdirSync(dirname(absDest), { recursive: true }); } catch { /* non-fatal */ }
-            syncFile(absSrc, absDest, `.claude/scripts/migrations/${rel}`);
+            try { mkdirSync(dirname(absDest), { recursive: true }); } catch (err) {
+              emitWarning(`migrations subdir mkdir failed for ${rel} (${errMessage(err)})`);
+            }
+            await syncFile(absSrc, absDest, `.claude/scripts/migrations/${rel}`);
           }
         }
       }
@@ -416,7 +561,7 @@ try {
           'gate.cjs', 'gate-hook.mjs', 'prompt-hook.mjs', 'hook-handler.cjs',
         ];
         for (const file of binHelperFiles) {
-          syncFile(resolve(binDir, file), resolve(helpersDir, file), `.claude/helpers/${file}`);
+          await syncFile(resolve(binDir, file), resolve(helpersDir, file), `.claude/helpers/${file}`);
         }
 
         // Other helpers from .claude/helpers/ and CLI .claude/helpers/
@@ -434,7 +579,19 @@ try {
           for (const srcDir of helperSources) {
             const src = resolve(srcDir, file);
             if (existsSync(src)) {
-              try { copyFileSync(src, dest); currentManifest.push(`.claude/helpers/${file}`); } catch { /* non-fatal */ }
+              const inlineResult = await syncWithRetry(() => copyFileSync(src, dest));
+              if (inlineResult.ok) {
+                recordManifestEntry(`.claude/helpers/${file}`, dest);
+              } else {
+                const code = inlineResult.code;
+                const tail = TRANSIENT_CODES.has(code)
+                  ? ` (retried ${RETRY_BACKOFF_MS.length}× after ${code}${circuitOpen ? '; circuit open' : ''})`
+                  : '';
+                syncFailures.push({
+                  key: `.claude/helpers/${file}`,
+                  message: `${errMessage(inlineResult.err)}${tail}`,
+                });
+              }
               break; // first source wins
             }
           }
@@ -453,26 +610,31 @@ try {
             const dest = resolve(guidanceDir, file);
             const content = readFileSync(src, 'utf-8');
             writeFileSync(dest, sessionStartMirrorHeader(file) + content);
-            currentManifest.push(`.claude/guidance/${file}`);
+            recordManifestEntry(`.claude/guidance/${file}`, dest);
           }
-        } catch { /* non-fatal */ }
+        } catch (err) {
+          emitWarning(`shipped guidance sync failed (${errMessage(err)})`);
+        }
       }
 
       // ── Clean up files we installed previously but no longer ship ──
       // Only remove files that are in the OLD manifest but NOT in the new one.
       // This ensures we never delete user-created or runtime-generated files.
+      // Both v1 (string) and v2 ({path,size}) old entries are normalized to
+      // entries by readInstallManifest; we only need the path for cleanup.
       let removedFiles = 0;
       if (previousManifest.length > 0) {
-        const currentSet = new Set(currentManifest);
-        for (const rel of previousManifest) {
-          if (!currentSet.has(rel)) {
-            const abs = resolve(projectRoot, rel);
-            try {
-              if (existsSync(abs)) {
-                unlinkSync(abs);
-                removedFiles++;
-              }
-            } catch { /* non-fatal */ }
+        const currentSet = new Set(currentManifest.map((e) => e.path));
+        for (const { path: rel } of previousManifest) {
+          if (currentSet.has(rel)) continue;
+          const abs = resolve(projectRoot, rel);
+          try {
+            if (existsSync(abs)) {
+              unlinkSync(abs);
+              removedFiles++;
+            }
+          } catch (err) {
+            emitWarning(`cleanup unlink failed for ${rel} (${errMessage(err)})`);
           }
         }
       }
@@ -480,21 +642,22 @@ try {
         emitMutation('cleaned up retired files', `${removedFiles} removed`);
       }
 
-      // Recycle the running daemon — its in-process module cache holds the
-      // previous moflo image. After an upgrade that cache is stale, which
-      // shows up as warnings from removed code paths (e.g. the
-      // `[neural-tools] @moflo/embeddings not resolvable` spam from #639,
-      // emitted by pre-#592 collapse code that no longer exists in source)
-      // and means freshly-disabled workers keep running.
-      //
-      // `daemon.autoStart` only governs the cold-start case (no daemon
-      // existed); here a daemon was actually running, so replacing it with a
-      // current-code copy is the desired behaviour regardless of that flag.
-      try {
-        if (recycleDaemon(resolve(projectRoot, '.moflo', 'daemon.lock'), 'daemon-recycle')) {
-          emitMutation('recycled daemon', 'load fresh moflo code');
-        }
-      } catch { /* non-fatal — daemon recycle is best-effort */ }
+      // The daemon was already stopped above so the lock file is gone and
+      // there's no live PID to recycle here. Section 4's `hooks.mjs
+      // session-start` will spawn a fresh daemon under the current moflo
+      // image once 3g writes the version stamp.
+
+      // Surface per-file copy failures so the user / Claude can see what
+      // didn't sync (#854). The file isn't in the manifest either, so the
+      // next-upgrade cleanup pass can never reconcile it on its own —
+      // direct the user at `flo doctor --fix` as the compensating healer.
+      if (syncFailures.length > 0) {
+        const sample = syncFailures.slice(0, 5).map((f) => `  - ${f.key}: ${f.message}`).join('\n');
+        const more = syncFailures.length > 5 ? `\n  …and ${syncFailures.length - 5} more` : '';
+        emitWarning(
+          `${plural(syncFailures.length, 'file')} failed to sync during upgrade — run 'flo doctor --fix' to repair:\n${sample}${more}`,
+        );
+      }
 
       // Manifest reflects synced files immediately; version stamp is deferred
       // to 3g so an aborted launcher re-runs upgrade detection (#730).
@@ -503,11 +666,19 @@ try {
         if (!existsSync(cfDir)) mkdirSync(cfDir, { recursive: true });
         writeFileSync(manifestPath, JSON.stringify(currentManifest, null, 2));
         pendingVersionStampWrite = { path: versionStampPath, version: installedVersion };
-      } catch {}
+      } catch (err) {
+        // #854: manifest write must surface — without it the next launcher
+        // can't tell what was installed and the version stamp never gets
+        // queued for 3g.
+        emitWarning(`manifest write failed (${errMessage(err)})`);
+      }
     }
   }
-} catch {
-  // Non-fatal — scripts will still work, just may be stale
+} catch (err) {
+  // #854: bare catches here hid upgrade regressions across multiple 4.8.x
+  // bumps. We keep the catch so a single throw doesn't crash the launcher,
+  // but we never silence it.
+  emitWarning(`upgrade section failed (${errMessage(err)})`);
 }
 
 // ── 3a-pre. Recycle daemons started before the current moflo install ────────
@@ -654,14 +825,19 @@ try {
           settingsChanges.push(`repaired ${plural(repaired.length, 'hook wiring')}`);
         }
       }
-    } catch { /* non-fatal — doctor can still fix later */ }
+    } catch (err) {
+      emitWarning(`hook-wiring repair skipped (${errMessage(err)})`);
+    }
 
     if (dirty) {
       writeFileSync(settingsPath, JSON.stringify(settings, null, 2));
       emitMutation('updated .claude/settings.json', settingsChanges.join(', '));
     }
   }
-} catch { /* non-fatal — stale hooks won't block session, just emit warnings */ }
+} catch (err) {
+  // #854: silent fail-loop hid hook breakage — surface so the user can act.
+  emitWarning(`settings.json migration failed (${errMessage(err)})`);
+}
 
 // ── 3b. Ensure shipped guidance files exist (even without version change) ──
 // Subagents need these files on disk for direct reads without memory search.
@@ -706,7 +882,9 @@ try {
       }
     }
   }
-} catch { /* non-fatal */ }
+} catch (err) {
+  emitWarning(`shipped guidance restore failed (${errMessage(err)})`);
+}
 
 // ── 3b-714. Retire legacy `.swarm/vector-stats.json` parallel write (#714) ─
 // `.moflo/vector-stats.json` is canonical post-#699; pre-#714 builds also
@@ -896,11 +1074,15 @@ if (upgradeNoticeContext) {
 
 // ── 3g. Commit deferred version stamp (#730) ────────────────────────────────
 // Written LAST so an abort above leaves the stamp unchanged and the next
-// launcher re-detects the upgrade.
+// launcher re-detects the upgrade. Failure here is surfaced (#854) so a
+// permanently-broken stamp write (filesystem permissions, AV holds) doesn't
+// silently strand consumers in re-detect-on-every-session loops.
 if (pendingVersionStampWrite) {
   try {
     writeFileSync(pendingVersionStampWrite.path, pendingVersionStampWrite.version);
-  } catch { /* non-fatal — next launcher re-detects + retries the upgrade */ }
+  } catch (err) {
+    emitWarning(`version stamp write failed (${errMessage(err)}) — next launcher will re-detect the upgrade`);
+  }
 }
 
 // Bypasses emitMutation — framing, not a mutation, so it must not inflate the count.