openclaw-node-harness 2.1.1 → 2.2.0

package/bin/lane-watchdog.js

@@ -193,29 +193,39 @@ function tailLog(filePath, label) {
 
   const watcher = fs.watch(filePath, { persistent: true }, () => {
     try {
-      const stat = fs.statSync(filePath);
-      if (stat.size < fileSize) {
-        // Log was rotated
+      // Read from current fileSize to EOF — avoid TOCTOU race by not
+      // pre-checking stat.size. createReadStream with just `start` reads
+      // to the end of the file atomically, then we update fileSize from
+      // the bytes actually read.
+      const stream = fs.createReadStream(filePath, {
+        start: fileSize,
+        encoding: 'utf8'
+      });
+      let buffer = '';
+      let bytesRead = 0;
+      stream.on('data', chunk => { buffer += chunk; bytesRead += Buffer.byteLength(chunk, 'utf8'); });
+      stream.on('end', () => {
+        if (bytesRead === 0) return; // no new data
+        const lines = buffer.split('\n').filter(Boolean);
+        for (const line of lines) {
+          parseLine(line);
+        }
+        fileSize += bytesRead;
+      });
+      stream.on('error', (err) => {
+        if (err.code === 'ENOENT') {
+          // File was deleted/rotated — reset position
+          fileSize = 0;
+        } else {
+          log(`ERROR: reading ${label}: ${err.message}`);
+        }
+      });
+    } catch (err) {
+      if (err.code === 'ENOENT') {
         fileSize = 0;
+      } else {
+        log(`ERROR: reading ${label}: ${err.message}`);
       }
-      if (stat.size > fileSize) {
-        const stream = fs.createReadStream(filePath, {
-          start: fileSize,
-          end: stat.size,
-          encoding: 'utf8'
-        });
-        let buffer = '';
-        stream.on('data', chunk => { buffer += chunk; });
-        stream.on('end', () => {
-          const lines = buffer.split('\n').filter(Boolean);
-          for (const line of lines) {
-            parseLine(line);
-          }
-          fileSize = stat.size;
-        });
-      }
-    } catch (err) {
-      log(`ERROR: reading ${label}: ${err.message}`);
     }
   });
 

package/bin/mesh-agent.js

@@ -539,6 +539,8 @@ const ALLOWED_METRIC_PREFIXES = [
 ];
 
 function isAllowedMetric(cmd) {
+  if (/[\n\r\0;`]|\$\(|\|\||&&|<\(|>\(|<<|>>|>\s|\|/.test(cmd)) return false;
+  if (/\bnode\s+(-e\b|--eval\b|-p\b|--print\b|-r\b|--require\b|--import\b)/.test(cmd)) return false;
   return ALLOWED_METRIC_PREFIXES.some(prefix => cmd.startsWith(prefix));
 }
 
@@ -1032,6 +1034,9 @@ async function executeCollabTask(task) {
   // Create worktree for isolation
   const worktreePath = createWorktree(`${task.task_id}-${NODE_ID}`);
   const taskDir = worktreePath || WORKSPACE;
+  if (!worktreePath) {
+    log(`WARNING: Collab task ${task.task_id} running in shared workspace — isolation not achieved`);
+  }
 
   // Periodic session heartbeat — detects abort/completion while waiting for rounds
   const sessionHeartbeat = setInterval(async () => {
@@ -1190,9 +1195,13 @@ async function executeTask(task) {
   // Create isolated worktree for this task (falls back to shared workspace on failure)
   const worktreePath = createWorktree(task.task_id);
   const taskDir = worktreePath || WORKSPACE;
+  const workspaceIsolated = !!worktreePath;
+  if (!workspaceIsolated) {
+    log(`WARNING: Task ${task.task_id} running in shared workspace — isolation not achieved`);
+  }
 
-  // Signal start
-  await natsRequest('mesh.tasks.start', { task_id: task.task_id });
+  // Signal start (include isolation status so daemon knows)
+  await natsRequest('mesh.tasks.start', { task_id: task.task_id, workspace_isolated: workspaceIsolated });
   writeAgentState('working', task.task_id);
   log(`Started: ${task.task_id} (dir: ${worktreePath ? 'worktree' : 'workspace'})`);
 

package/bin/mesh-deploy.js

@@ -47,6 +47,10 @@ const crypto = require('crypto');
 const IS_MAC = os.platform() === 'darwin';
 const HOME = os.homedir();
 const DEPLOY_BRANCH = process.env.OPENCLAW_DEPLOY_BRANCH || 'main';
+if (!/^[a-zA-Z0-9._\/-]+$/.test(DEPLOY_BRANCH)) {
+  console.error(`Invalid DEPLOY_BRANCH: ${DEPLOY_BRANCH}`);
+  process.exit(1);
+}
 const REPO_DIR = process.env.OPENCLAW_REPO_DIR || path.join(HOME, 'openclaw');
 
 // KNOWN ISSUE: Two-directory problem

package/bin/mesh-task-daemon.js

@@ -46,7 +46,7 @@ const ROLE_DIRS = [
 ];
 
 const sc = StringCodec();
-const { NATS_URL } = require('../lib/nats-resolve');
+const { NATS_URL, natsConnectOpts } = require('../lib/nats-resolve');
 const BUDGET_CHECK_INTERVAL = 30000; // 30s
 const STALL_MINUTES = parseInt(process.env.MESH_STALL_MINUTES || '5'); // no heartbeat for this long → stalled
 const CIRCLING_STEP_TIMEOUT_MS = parseInt(process.env.MESH_CIRCLING_STEP_TIMEOUT_MS || String(10 * 60 * 1000)); // 10 min default
@@ -2013,7 +2013,8 @@ function cascadeFailure(plan, failedSubtaskId) {
 async function main() {
   log('Starting mesh task daemon...');
 
-  nc = await connect({ servers: NATS_URL, timeout: 5000 });
+  const natsOpts = natsConnectOpts();
+  nc = await connect({ ...natsOpts, timeout: 5000 });
   log(`Connected to NATS at ${NATS_URL}`);
 
   // Initialize task store
@@ -2085,8 +2086,12 @@ async function main() {
   }
 
   // Start enforcement loops
-  const proposalTimer = setInterval(processProposals, BUDGET_CHECK_INTERVAL);
-  const budgetTimer = setInterval(enforceBudgets, BUDGET_CHECK_INTERVAL);
+  const proposalTimer = setInterval(async () => {
+    try { await processProposals(); } catch (err) { log(`processProposals error: ${err.message}`); }
+  }, BUDGET_CHECK_INTERVAL);
+  const budgetTimer = setInterval(async () => {
+    try { await enforceBudgets(); } catch (err) { log(`enforceBudgets error: ${err.message}`); }
+  }, BUDGET_CHECK_INTERVAL);
   const stallTimer = setInterval(detectStalls, BUDGET_CHECK_INTERVAL);
   const recruitTimer = setInterval(checkRecruitingDeadlines, 5000); // check every 5s
   const circlingStepSweepTimer = setInterval(sweepCirclingStepTimeouts, 60000); // every 60s

package/bin/mesh.js

@@ -27,23 +27,7 @@ const { connect, StringCodec, createInbox } = require('nats');
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
-
-// ─── Config ──────────────────────────────────────────
-// ── NATS URL resolution: env var → ~/.openclaw/openclaw.env → fallback IP ──
-const NATS_FALLBACK = 'nats://100.91.131.61:4222';
-function resolveNatsUrl() {
-  if (process.env.OPENCLAW_NATS) return process.env.OPENCLAW_NATS;
-  try {
-    const envFile = path.join(os.homedir(), '.openclaw', 'openclaw.env');
-    if (fs.existsSync(envFile)) {
-      const content = fs.readFileSync(envFile, 'utf8');
-      const match = content.match(/^\s*OPENCLAW_NATS\s*=\s*(.+)/m);
-      if (match && match[1].trim()) return match[1].trim();
-    }
-  } catch {}
-  return NATS_FALLBACK;
-}
-const NATS_URL = resolveNatsUrl();
+const { natsConnectOpts } = require('../lib/nats-resolve');
 const SHARED_DIR = path.join(os.homedir(), 'openclaw', 'shared');
 const LOCAL_NODE = os.hostname().toLowerCase().replace(/[^a-z0-9-]/g, '-');
 const sc = StringCodec();
@@ -107,10 +91,11 @@ function checkExecSafety(command) {
  * Connect to NATS with a short timeout (this is a CLI tool, not a daemon).
  */
 async function natsConnect() {
+  const opts = natsConnectOpts();
   try {
-    return await connect({ servers: NATS_URL, timeout: 5000 });
+    return await connect({ ...opts, timeout: 5000 });
   } catch (err) {
-    console.error(`Error: Cannot connect to NATS at ${NATS_URL}`);
+    console.error(`Error: Cannot connect to NATS at ${opts.servers}`);
     console.error(`Is the NATS server running? Is Tailscale connected?`);
     process.exit(1);
   }
@@ -880,7 +865,7 @@ async function cmdPlan(args) {
       }
 
       // Submit to mesh via NATS
-      const nc = await connect({ servers: NATS_URL, timeout: 5000 });
+      const nc = await connect({ ...natsConnectOpts(), timeout: 5000 });
       try {
         const reply = await nc.request(
           'mesh.plans.create',
@@ -908,7 +893,7 @@ async function cmdPlan(args) {
         if (args[i] === '--status' && args[i + 1]) { statusFilter = args[++i]; }
       }
 
-      const nc = await connect({ servers: NATS_URL, timeout: 5000 });
+      const nc = await connect({ ...natsConnectOpts(), timeout: 5000 });
       try {
         const payload = statusFilter ? { status: statusFilter } : {};
         const reply = await nc.request(
@@ -941,7 +926,7 @@ async function cmdPlan(args) {
         process.exit(1);
       }
 
-      const nc = await connect({ servers: NATS_URL, timeout: 5000 });
+      const nc = await connect({ ...natsConnectOpts(), timeout: 5000 });
       try {
         const reply = await nc.request(
           'mesh.plans.get',
@@ -1039,7 +1024,7 @@ async function cmdPlan(args) {
         process.exit(1);
       }
 
-      const nc = await connect({ servers: NATS_URL, timeout: 5000 });
+      const nc = await connect({ ...natsConnectOpts(), timeout: 5000 });
       try {
         const reply = await nc.request(
           'mesh.plans.approve',
@@ -1068,7 +1053,7 @@ async function cmdPlan(args) {
         process.exit(1);
       }
 
-      const nc = await connect({ servers: NATS_URL, timeout: 5000 });
+      const nc = await connect({ ...natsConnectOpts(), timeout: 5000 });
       try {
         const reply = await nc.request(
           'mesh.plans.abort',

package/lib/exec-safety.js

@@ -11,6 +11,30 @@
 
 'use strict';
 
+// Shell metacharacter detection — blocks command chaining/injection.
+// Safe pipes to common read-only utilities are allowed.
+const SHELL_CHAIN_PATTERNS = /[\n\r\0;`]|\$\(|\|\||&&|<\(|>\(|<<|>>|>\s|\|(?!\s*grep\b|\s*head\b|\s*tail\b|\s*wc\b|\s*sort\b)/;
+
+function containsShellChaining(cmd) {
+  // Allow safe pipes to common read-only utilities
+  return SHELL_CHAIN_PATTERNS.test(cmd);
+}
+
+// Dangerous flags that allow arbitrary code execution via node
+const DANGEROUS_NODE_FLAGS = /\bnode\s+(-e\b|--eval\b|-p\b|--print\b|-r\b|--require\b|--import\b|--loader\b|--experimental-loader\b)/;
+
+// Dangerous git flags that allow arbitrary config / code execution
+const DANGEROUS_GIT_FLAGS = /\bgit\s+(-c\s|--config\s)/;
+
+// Dangerous find flags that allow arbitrary command execution
+const DANGEROUS_FIND_FLAGS = /\bfind\b.*\s(-exec\b|-execdir\b|-delete\b|-ok\b|-okdir\b)/;
+
+// Dangerous make variable overrides (SHELL=, CC=, etc.)
+const DANGEROUS_MAKE_FLAGS = /\bmake\b.*\b(SHELL|CC|CXX|LD|AR)=/;
+
+// Dangerous python flags that allow arbitrary code execution
+const DANGEROUS_PYTHON_FLAGS = /\bpython3?\s+(-c\b|-m\s+http)/;
+
 const DESTRUCTIVE_PATTERNS = [
   /\brm\s+(-[a-zA-Z]*)?r[a-zA-Z]*f/,      // rm -rf, rm -fr, rm --recursive --force
   /\brm\s+(-[a-zA-Z]*)?f[a-zA-Z]*r/,       // rm -fr variants
@@ -39,11 +63,15 @@ const DESTRUCTIVE_PATTERNS = [
  * CLI-side uses blocklist only; server-side uses both blocklist + allowlist.
  */
 const ALLOWED_EXEC_PREFIXES = [
-  'git ', 'npm ', 'node ', 'npx ', 'python ', 'python3 ',
+  'git ', 'node ', 'python ', 'python3 ',
+  'npm test', 'npm run test', 'npm run lint', 'npm run build', 'npm run dev',
+  'npm run start', 'npm install', 'npm ci', 'npm ls', 'npm outdated',
+  'npm audit', 'npm version', 'npm pack', 'npm run check',
+  'npx vitest', 'npx jest', 'npx eslint', 'npx prettier', 'npx tsc',
   'cat ', 'ls ', 'head ', 'tail ', 'grep ', 'find ', 'wc ',
   'echo ', 'date ', 'uptime ', 'df ', 'free ', 'ps ',
   'bash openclaw/', 'bash ~/openclaw/', 'bash ./bin/',
-  'cd ', 'pwd', 'which ', 'env ', 'printenv ',
+  'pwd', 'which ',
   'cargo ', 'go ', 'make ', 'pytest ', 'jest ', 'vitest ',
 ];
 
@@ -84,6 +112,30 @@ function validateExecCommand(command) {
     return { allowed: false, reason: 'Empty command' };
   }
 
+  if (containsShellChaining(trimmed)) {
+    return { allowed: false, reason: `Command contains shell chaining operators: ${trimmed.slice(0, 80)}` };
+  }
+
+  if (DANGEROUS_NODE_FLAGS.test(trimmed)) {
+    return { allowed: false, reason: `Dangerous node flag detected: ${trimmed.slice(0, 80)}` };
+  }
+
+  if (DANGEROUS_GIT_FLAGS.test(trimmed)) {
+    return { allowed: false, reason: `Dangerous git flag detected: ${trimmed.slice(0, 80)}` };
+  }
+
+  if (DANGEROUS_FIND_FLAGS.test(trimmed)) {
+    return { allowed: false, reason: `Dangerous find flag detected: ${trimmed.slice(0, 80)}` };
+  }
+
+  if (DANGEROUS_MAKE_FLAGS.test(trimmed)) {
+    return { allowed: false, reason: `Dangerous make variable override detected: ${trimmed.slice(0, 80)}` };
+  }
+
+  if (DANGEROUS_PYTHON_FLAGS.test(trimmed)) {
+    return { allowed: false, reason: `Dangerous python flag detected: ${trimmed.slice(0, 80)}` };
+  }
+
   const destructive = checkDestructivePatterns(trimmed);
   if (destructive.blocked) {
     return { allowed: false, reason: `Blocked by destructive pattern: ${destructive.pattern}` };
@@ -99,7 +151,13 @@ function validateExecCommand(command) {
 module.exports = {
   DESTRUCTIVE_PATTERNS,
   ALLOWED_EXEC_PREFIXES,
+  DANGEROUS_NODE_FLAGS,
+  DANGEROUS_GIT_FLAGS,
+  DANGEROUS_FIND_FLAGS,
+  DANGEROUS_MAKE_FLAGS,
+  DANGEROUS_PYTHON_FLAGS,
   checkDestructivePatterns,
   isAllowedExecCommand,
   validateExecCommand,
+  containsShellChaining,
 };

package/lib/kanban-io.js

@@ -50,9 +50,8 @@ async function withMkdirLock(filePath, fn) {
       throw err;
     }
   }
-  // Timeout — force acquire (stale lock)
-  try { fs.rmdirSync(lockDir); } catch {}
-  return fn();
+  // Timeout — refuse to proceed without lock to prevent data corruption
+  throw new Error(`kanban-io: lock acquisition timeout after ${maxWait}ms — file may be corrupted`);
 }
 
 // ── Parser ──────────────────────────────────────────
@@ -351,9 +350,13 @@ function _updateTaskInPlaceUnsafe(filePath, taskId, fieldUpdates = {}, arrayAppe
     ...lines.slice(blockEnd),
   ];
 
-  // Atomic write
+  // Atomic write — fsync before rename to ensure data hits disk
   const tmpPath = filePath + '.tmp.' + process.pid;
-  fs.writeFileSync(tmpPath, newLines.join('\n'));
+  const output = newLines.join('\n');
+  const fd = fs.openSync(tmpPath, 'w');
+  fs.writeSync(fd, output);
+  fs.fsyncSync(fd);
+  fs.closeSync(fd);
   fs.renameSync(tmpPath, filePath);
 }
 

package/lib/llm-providers.js

@@ -22,15 +22,26 @@ const fs = require('fs');
 const os = require('os');
 
 // ── Shell Command Security ─────────────────────────
+const SHELL_CHAIN_PATTERNS = /[\n\r\0;`]|\$\(|\|\||&&|<\(|>\(|<<|>>|>\s|\|(?!\s*grep\b|\s*head\b|\s*tail\b|\s*wc\b|\s*sort\b)/;
+
+const DANGEROUS_FIND_FLAGS = /\bfind\b.*\s(-exec\b|-execdir\b|-delete\b|-ok\b|-okdir\b)/;
+
+const DANGEROUS_NODE_FLAGS = /\bnode\s+(-e\b|--eval\b|-p\b|--print\b|-r\b|--require\b|--import\b|--loader\b|--experimental-loader\b)/;
+
 const SHELL_PROVIDER_ALLOWED_PREFIXES = [
   'npm test', 'npm run', 'node ', 'python ', 'pytest', 'cargo test',
-  'go test', 'make', 'jest', 'vitest', 'mocha', 'bash ', 'sh ',
+  'go test', 'make', 'jest', 'vitest', 'mocha',
+  'bash openclaw/', 'bash ~/openclaw/', 'bash ./bin/',
+  'sh openclaw/', 'sh ~/openclaw/', 'sh ./bin/',
   'cat ', 'echo ', 'ls ', 'grep ', 'find ', 'git '
 ];
 
 function validateShellCommand(cmd) {
   const trimmed = (cmd || '').trim();
   if (!trimmed) return false;
+  if (SHELL_CHAIN_PATTERNS.test(trimmed)) return false;
+  if (DANGEROUS_NODE_FLAGS.test(trimmed)) return false;
+  if (DANGEROUS_FIND_FLAGS.test(trimmed)) return false;
   return SHELL_PROVIDER_ALLOWED_PREFIXES.some(p => trimmed.startsWith(p));
 }
 

package/lib/mesh-collab.js

@@ -166,8 +166,9 @@ class CollabStore {
         await this.kv.put(key, sc.encode(JSON.stringify(updated)), { previousSeq: entry.revision });
         return updated;
       } catch (err) {
-        if (attempt === maxRetries - 1) throw err;
-        // conflict — retry
+        const isCasConflict = err.code === '10071' || (err.message && err.message.includes('wrong last sequence'));
+        if (!isCasConflict || attempt === maxRetries - 1) throw err;
+        // CAS conflict — retry
       }
     }
   }
@@ -442,6 +443,7 @@ class CollabStore {
     let nextTurn = null;
     await this._updateWithCAS(sessionId, (session) => {
       if (session.mode !== COLLAB_MODE.SEQUENTIAL) return null;
+      if (session.status !== 'active') return null;
 
       const currentIdx = session.turn_order.indexOf(session.current_turn);
       const nextIdx = currentIdx + 1;
@@ -550,6 +552,9 @@ class CollabStore {
           console.error(`[collab] storeArtifact FAILED for ${sessionId}/${key}: ${err.message}. Removing artifact and persisting without it.`);
           delete session.circling.artifacts[key];
           try {
+            // Recovery write without CAS — acceptable because we're removing the artifact
+            // that caused the failure. Worst case: another concurrent write overwrites this,
+            // but that write also wouldn't have the problematic artifact.
             await this.kv.put(sessionId, sc.encode(JSON.stringify(session)));
           } catch (_) { /* best effort */ }
           return null;
@@ -851,6 +856,7 @@ class CollabStore {
    */
   async markCompleted(sessionId, result) {
     return this._updateWithCAS(sessionId, (session) => {
+      if (['completed', 'aborted'].includes(session.status)) return null;
       session.status = COLLAB_STATUS.COMPLETED;
       session.completed_at = new Date().toISOString();
       session.result = {

package/lib/mesh-harness.js

@@ -22,6 +22,7 @@ const fs = require('fs');
 const path = require('path');
 const { execSync } = require('child_process');
 const { globMatch } = require('./rule-loader');
+const { validateExecCommand } = require('./exec-safety');
 
 // ── Rule Loading ─────────────────────────────────────
 
@@ -241,6 +242,11 @@ function preCommitSecretScan(worktreePath) {
 function postCommitValidate(worktreePath, command) {
   if (!worktreePath || !command) return { passed: true, output: '' };
 
+  const validation = validateExecCommand(command);
+  if (!validation.allowed) {
+    return { passed: false, output: `Validation command blocked: ${validation.reason}` };
+  }
+
   try {
     const output = execSync(command, {
       cwd: worktreePath, timeout: 10000, encoding: 'utf-8', stdio: 'pipe',

package/lib/mesh-plans.js

@@ -38,6 +38,13 @@ const SUBTASK_STATUS = {
 
 // ── Delegation Modes ───────────────────────────────
 
+const PLAN_TRANSITIONS = {
+  approve: new Set(['review', 'draft']),
+  startExecuting: new Set(['approved']),
+  markCompleted: new Set(['executing']),
+  markAborted: new Set(['draft', 'review', 'approved', 'executing']),
+};
+
 const DELEGATION_MODE = {
   SOLO_MESH: 'solo_mesh',
   COLLAB_MESH: 'collab_mesh',
@@ -127,6 +134,11 @@ function createPlan({
   // Compute wave assignments
   assignWaves(enriched);
 
+  // Mark cycle-blocked subtasks (wave === -1) so they don't prevent plan completion
+  for (const st of enriched) {
+    if (st.wave === -1 && st.status === 'pending') st.status = 'blocked';
+  }
+
   const totalBudget = enriched.reduce((sum, st) => sum + st.budget_minutes, 0);
   const maxWave = enriched.reduce((max, st) => Math.max(max, st.wave), 0);
 
@@ -375,8 +387,9 @@ class PlanStore {
         await this.kv.put(key, sc.encode(JSON.stringify(updated)), { previousSeq: entry.revision });
         return updated;
       } catch (err) {
-        if (attempt === maxRetries - 1) throw err;
-        // conflict — retry
+        const isCasConflict = err.code === '10071' || (err.message && err.message.includes('wrong last sequence'));
+        if (!isCasConflict || attempt === maxRetries - 1) throw err;
+        // CAS conflict — retry
       }
     }
   }
@@ -420,6 +433,7 @@ class PlanStore {
 
   async submitForReview(planId) {
     return this._updateWithCAS(planId, (plan) => {
+      if (plan.status !== 'draft') return null;
       plan.status = PLAN_STATUS.REVIEW;
       return plan;
     });
@@ -427,6 +441,7 @@ class PlanStore {
 
   async approve(planId, approvedBy = 'gui') {
     return this._updateWithCAS(planId, (plan) => {
+      if (!PLAN_TRANSITIONS.approve.has(plan.status)) return null;
       plan.status = PLAN_STATUS.APPROVED;
       plan.approved_by = approvedBy;
       plan.approved_at = new Date().toISOString();
@@ -436,6 +451,7 @@ class PlanStore {
 
   async startExecuting(planId) {
     return this._updateWithCAS(planId, (plan) => {
+      if (!PLAN_TRANSITIONS.startExecuting.has(plan.status)) return null;
       plan.status = PLAN_STATUS.EXECUTING;
       plan.started_at = new Date().toISOString();
       return plan;
@@ -444,6 +460,7 @@ class PlanStore {
 
   async markCompleted(planId) {
     return this._updateWithCAS(planId, (plan) => {
+      if (!PLAN_TRANSITIONS.markCompleted.has(plan.status)) return null;
       plan.status = PLAN_STATUS.COMPLETED;
       plan.completed_at = new Date().toISOString();
       return plan;
@@ -452,6 +469,7 @@ class PlanStore {
 
   async markAborted(planId, reason) {
     return this._updateWithCAS(planId, (plan) => {
+      if (!PLAN_TRANSITIONS.markAborted.has(plan.status)) return null;
       plan.status = PLAN_STATUS.ABORTED;
       plan.completed_at = new Date().toISOString();
       for (const st of plan.subtasks) {

package/lib/mesh-tasks.js

@@ -46,6 +46,14 @@ const TASK_STATUS = {
   REJECTED: 'rejected',
 };
 
+const TERMINAL_STATES = new Set([
+  TASK_STATUS.COMPLETED,
+  TASK_STATUS.FAILED,
+  TASK_STATUS.RELEASED,
+  TASK_STATUS.CANCELLED,
+  TASK_STATUS.REJECTED,
+]);
+
 /**
  * Create a new task with the enriched schema.
  * Karpathy-inspired fields: budget_minutes, metric, on_fail, scope.
@@ -158,8 +166,9 @@ class TaskStore {
         await this.kv.put(key, sc.encode(JSON.stringify(updated)), { previousSeq: entry.revision });
         return updated;
       } catch (err) {
-        if (attempt === maxRetries - 1) throw err;
-        // conflict — retry
+        const isCasConflict = err.code === '10071' || (err.message && err.message.includes('wrong last sequence'));
+        if (!isCasConflict || attempt === maxRetries - 1) throw err;
+        // CAS conflict — retry
       }
     }
   }
@@ -253,6 +262,7 @@ class TaskStore {
    */
   async markRunning(taskId) {
     return this._updateWithCAS(taskId, (task) => {
+      if (TERMINAL_STATES.has(task.status)) return null;
       task.status = TASK_STATUS.RUNNING;
       task.started_at = new Date().toISOString();
       return task;
@@ -264,6 +274,7 @@ class TaskStore {
    */
   async markCompleted(taskId, result) {
     return this._updateWithCAS(taskId, (task) => {
+      if (TERMINAL_STATES.has(task.status)) return null;
       task.status = TASK_STATUS.COMPLETED;
       task.completed_at = new Date().toISOString();
       task.result = result;
@@ -277,6 +288,7 @@ class TaskStore {
    */
   async markPendingReview(taskId, result) {
     return this._updateWithCAS(taskId, (task) => {
+      if (TERMINAL_STATES.has(task.status)) return null;
       task.status = TASK_STATUS.PENDING_REVIEW;
       task.result = result;
       task.review_requested_at = new Date().toISOString();
@@ -316,6 +328,7 @@ class TaskStore {
    */
   async markFailed(taskId, reason, attempts = []) {
     return this._updateWithCAS(taskId, (task) => {
+      if (TERMINAL_STATES.has(task.status)) return null;
       task.status = TASK_STATUS.FAILED;
       task.completed_at = new Date().toISOString();
       task.result = { success: false, summary: reason };
@@ -329,6 +342,7 @@ class TaskStore {
    */
   async logAttempt(taskId, attempt) {
     return this._updateWithCAS(taskId, (task) => {
+      if (TERMINAL_STATES.has(task.status)) return null;
       task.attempts.push({
         ...attempt,
         timestamp: new Date().toISOString(),
@@ -343,6 +357,7 @@ class TaskStore {
    */
   async markReleased(taskId, reason, attempts = []) {
     return this._updateWithCAS(taskId, (task) => {
+      if (TERMINAL_STATES.has(task.status)) return null;
       task.status = TASK_STATUS.RELEASED;
       task.completed_at = new Date().toISOString();
       task.result = { success: false, summary: reason, released: true };
@@ -356,6 +371,7 @@ class TaskStore {
    */
   async touchActivity(taskId) {
     return this._updateWithCAS(taskId, (task) => {
+      if (TERMINAL_STATES.has(task.status)) return null;
       task.last_activity = new Date().toISOString();
       return task;
     });
@@ -379,25 +395,25 @@ class TaskStore {
   }
 
   /**
-   * Find running tasks with no activity for `stallMinutes`.
+   * Find running or claimed tasks with no activity for `stallMinutes`.
    * Stall detection is separate from budget — a task can be within budget
    * but the agent process may have died silently.
+   * Claimed tasks that never transition to running (agent crashed after claim)
+   * are also detected and released back to queued.
    */
   async findStalled(stallMinutes = 5) {
     const running = await this.list({ status: TASK_STATUS.RUNNING });
+    const claimed = await this.list({ status: TASK_STATUS.CLAIMED });
     const cutoff = Date.now() - stallMinutes * 60 * 1000;
-    return running.filter(t => {
-      const lastSignal = t.last_activity || t.started_at;
+    return [...running, ...claimed].filter(t => {
+      const lastSignal = t.last_activity || t.started_at || t.claimed_at;
       return lastSignal && new Date(lastSignal) < cutoff;
     });
   }
 
   async _checkDeps(depIds) {
-    for (const depId of depIds) {
-      const dep = await this.get(depId);
-      if (!dep || dep.status !== TASK_STATUS.COMPLETED) return false;
-    }
-    return true;
+    const deps = await Promise.all(depIds.map(id => this.get(id)));
+    return deps.every(dep => dep && dep.status === TASK_STATUS.COMPLETED);
   }
 }