patchwork-os 0.2.0-beta.2 → 0.2.0-beta.4

package/dist/featureFlags.d.ts

@@ -51,8 +51,53 @@ export declare function _resetEnvLockForTesting(): void;
  *   3. Default value from registration
  */
 export declare function isEnabled(flagId: string): boolean;
+/**
+ * Returns true when the given kill-switch flag is **env-locked** — i.e. its
+ * value was frozen at startup from a `PATCHWORK_FLAG_<ID>` environment
+ * variable and any subsequent `setFlag()` call will be silently overridden
+ * by `isEnabled()`.
+ *
+ * Used by the `/kill-switch` endpoint (issue #422) to surface a 409
+ * Conflict instead of returning 200 OK for a setFlag that won't stick,
+ * and by the dashboard to render the toggle as disabled (with a tooltip
+ * naming which direction was sysadmin-locked) when this returns true.
+ *
+ * Returns false for non-kill-switch flags (they read env dynamically and
+ * are never "locked"), for unknown flags, and when `lockKillSwitchEnv()`
+ * has not yet been called.
+ */
+export declare function isEnvLockedFor(flagId: string): boolean;
+/**
+ * Returns the frozen env-locked value for a kill-switch flag (`true` /
+ * `false`), or `null` if not env-locked.
+ *
+ * Used by the dashboard tooltip so the disabled-state can read "env-locked
+ * to **on**" vs "env-locked to **off**" — both directions are policy-locked,
+ * but the user should know which.
+ */
+export declare function getEnvLockedValue(flagId: string): boolean | null;
+/**
+ * Thrown by `setFlag` when a kill-switch flag is env-locked (its value was
+ * frozen at startup via `PATCHWORK_FLAG_<ID>`) and the caller attempts to
+ * mutate it. The `/kill-switch` POST handler catches this and returns a
+ * structured 409 Conflict so the CLI / dashboard can distinguish
+ * "policy-locked" from "bad request" (issue #422, pitfall I9).
+ *
+ * `frozenValue` is the locked direction — callers can surface
+ * "env-locked to on" vs "env-locked to off" in error messages.
+ */
+export declare class EnvLockedFlagError extends Error {
+    readonly flagId: string;
+    readonly frozenValue: boolean;
+    constructor(flagId: string, frozenValue: boolean);
+}
 /**
  * Set a flag value (persists to config file if persist=true).
+ *
+ * Throws `EnvLockedFlagError` if the flag is a kill-switch flag that has been
+ * frozen by `lockKillSwitchEnv()` — a sysadmin env-var override takes
+ * precedence over runtime mutation. The `/kill-switch` POST handler catches
+ * this and returns 409 (pitfall I9 from issue #422).
  */
 export declare function setFlag(flagId: string, value: boolean, persist?: boolean): void;
 /**
@@ -69,11 +114,42 @@ export declare function loadFlags(): void;
 export declare const KILL_SWITCH_WRITES = "kill-switch.writes";
 /** Enable recipe lint with schema validation (A1) */
 export declare const FLAG_SCHEMA_LINT = "ui.schema-lint";
+/**
+ * Watch the flags.json file for cross-process changes. When another
+ * process (typically the `patchwork kill-switch` CLI in its fallback
+ * fs-write path, or a sibling bridge in a multi-bridge deployment)
+ * writes to flags.json, this watcher reloads the in-memory FLAG_VALUES
+ * so the running bridge picks up the new state without a restart.
+ *
+ * v2-S1 + v2-B2 from #422. Closes the "no bridge reachable → CLI
+ * silent fallback → recipes keep writing" gap that motivated the
+ * redesign — even when the CLI's HTTP path fails and it falls back
+ * to writing the file directly, the running bridge still sees the
+ * change.
+ *
+ * **Env-lock interaction:** if `lockKillSwitchEnv()` already froze a
+ * kill-switch value from `PATCHWORK_FLAG_*`, the file-watch flow
+ * still updates FLAG_VALUES, but `isEnabled` continues reading from
+ * the frozen snapshot for that flag (existing behavior at L117-121).
+ * The env-lock is the source of truth — file changes can't override
+ * a sysadmin-mandated kill-switch state. This is the correct policy.
+ *
+ * Modeled on `src/pluginWatcher.ts`: directory-watch + filename
+ * filter + 100ms debounce so coalesced events (rename+create+change
+ * on most filesystems) don't trigger N reloads. Returns a close
+ * handle. Tolerates the file or directory not yet existing.
+ */
+export declare function watchFlags(): () => void;
 /**
  * Check if write operations are globally disabled.
  */
 export declare function isWriteKillSwitchActive(): boolean;
 /**
  * Assert write is allowed — throws if kill switch is active.
+ *
+ * The thrown error carries `code: "kill_switch_blocked"` so the recipe
+ * runner can categorise the resulting halt as `kill_switch` (rather than
+ * a generic `tool_threw`) and the dashboard pill row can flag it
+ * distinctly from real tool failures.
  */
 export declare function assertWriteAllowed(operation: string): void;

package/dist/featureFlags.js

@@ -7,9 +7,11 @@
  *   - Kill switch for write-tier operations
  *   - Per-feature opt-in with default-off safety
  */
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { existsSync, mkdirSync, readFileSync } from "node:fs";
 import os from "node:os";
 import { join } from "node:path";
+import { watchDirectoryWithFallback } from "./fsWatchWithFallback.js";
+import { writeFileAtomicSync } from "./writeFileAtomic.js";
 /** Flag registry — all known flags */
 const FLAG_REGISTRY = new Map();
 /** Runtime flag values (after env/file resolution) */
@@ -101,13 +103,85 @@ export function isEnabled(flagId) {
     // Unknown flag — default to false (safe)
     return false;
 }
+/**
+ * Returns true when the given kill-switch flag is **env-locked** — i.e. its
+ * value was frozen at startup from a `PATCHWORK_FLAG_<ID>` environment
+ * variable and any subsequent `setFlag()` call will be silently overridden
+ * by `isEnabled()`.
+ *
+ * Used by the `/kill-switch` endpoint (issue #422) to surface a 409
+ * Conflict instead of returning 200 OK for a setFlag that won't stick,
+ * and by the dashboard to render the toggle as disabled (with a tooltip
+ * naming which direction was sysadmin-locked) when this returns true.
+ *
+ * Returns false for non-kill-switch flags (they read env dynamically and
+ * are never "locked"), for unknown flags, and when `lockKillSwitchEnv()`
+ * has not yet been called.
+ */
+export function isEnvLockedFor(flagId) {
+    if (!envLocked)
+        return false;
+    const flag = FLAG_REGISTRY.get(flagId);
+    if (!flag?.isKillSwitch)
+        return false;
+    return FROZEN_KILL_SWITCH_ENV.get(flagId) !== undefined;
+}
+/**
+ * Returns the frozen env-locked value for a kill-switch flag (`true` /
+ * `false`), or `null` if not env-locked.
+ *
+ * Used by the dashboard tooltip so the disabled-state can read "env-locked
+ * to **on**" vs "env-locked to **off**" — both directions are policy-locked,
+ * but the user should know which.
+ */
+export function getEnvLockedValue(flagId) {
+    if (!isEnvLockedFor(flagId))
+        return null;
+    const frozen = FROZEN_KILL_SWITCH_ENV.get(flagId);
+    return frozen === undefined ? null : frozen;
+}
+/**
+ * Thrown by `setFlag` when a kill-switch flag is env-locked (its value was
+ * frozen at startup via `PATCHWORK_FLAG_<ID>`) and the caller attempts to
+ * mutate it. The `/kill-switch` POST handler catches this and returns a
+ * structured 409 Conflict so the CLI / dashboard can distinguish
+ * "policy-locked" from "bad request" (issue #422, pitfall I9).
+ *
+ * `frozenValue` is the locked direction — callers can surface
+ * "env-locked to on" vs "env-locked to off" in error messages.
+ */
+export class EnvLockedFlagError extends Error {
+    flagId;
+    frozenValue;
+    constructor(flagId, frozenValue) {
+        super(`Feature flag "${flagId}" is env-locked to ${frozenValue ? "true" : "false"} ` +
+            `(set at startup via PATCHWORK_FLAG_${flagId.replace(/[.-]/g, "_").toUpperCase()}). ` +
+            `Unset the environment variable to allow runtime mutation.`);
+        this.name = "EnvLockedFlagError";
+        this.flagId = flagId;
+        this.frozenValue = frozenValue;
+    }
+}
 /**
  * Set a flag value (persists to config file if persist=true).
+ *
+ * Throws `EnvLockedFlagError` if the flag is a kill-switch flag that has been
+ * frozen by `lockKillSwitchEnv()` — a sysadmin env-var override takes
+ * precedence over runtime mutation. The `/kill-switch` POST handler catches
+ * this and returns 409 (pitfall I9 from issue #422).
  */
 export function setFlag(flagId, value, persist = false) {
     if (!FLAG_REGISTRY.has(flagId)) {
         throw new Error(`Unknown feature flag: "${flagId}"`);
     }
+    // v2-I9: kill-switch flags that were env-locked at startup must not be
+    // silently overridden — throw so callers (the /kill-switch handler) can
+    // surface a structured 409 instead of returning 200 for a mutation that
+    // won't take effect.
+    if (isEnvLockedFor(flagId)) {
+        const frozen = FROZEN_KILL_SWITCH_ENV.get(flagId);
+        throw new EnvLockedFlagError(flagId, frozen === true);
+    }
     FLAG_VALUES.set(flagId, value);
     if (persist) {
         persistFlags();
@@ -160,7 +234,7 @@ function persistFlags() {
             toSave[id] = value;
         }
     }
-    writeFileSync(path, JSON.stringify(toSave, null, 2));
+    writeFileAtomicSync(path, JSON.stringify(toSave, null, 2));
 }
 // ============================================================================
 // Built-in Flags
@@ -187,6 +261,75 @@ registerFlag({
 });
 // Load persisted flags on module init
 loadFlags();
+/**
+ * Watch the flags.json file for cross-process changes. When another
+ * process (typically the `patchwork kill-switch` CLI in its fallback
+ * fs-write path, or a sibling bridge in a multi-bridge deployment)
+ * writes to flags.json, this watcher reloads the in-memory FLAG_VALUES
+ * so the running bridge picks up the new state without a restart.
+ *
+ * v2-S1 + v2-B2 from #422. Closes the "no bridge reachable → CLI
+ * silent fallback → recipes keep writing" gap that motivated the
+ * redesign — even when the CLI's HTTP path fails and it falls back
+ * to writing the file directly, the running bridge still sees the
+ * change.
+ *
+ * **Env-lock interaction:** if `lockKillSwitchEnv()` already froze a
+ * kill-switch value from `PATCHWORK_FLAG_*`, the file-watch flow
+ * still updates FLAG_VALUES, but `isEnabled` continues reading from
+ * the frozen snapshot for that flag (existing behavior at L117-121).
+ * The env-lock is the source of truth — file changes can't override
+ * a sysadmin-mandated kill-switch state. This is the correct policy.
+ *
+ * Modeled on `src/pluginWatcher.ts`: directory-watch + filename
+ * filter + 100ms debounce so coalesced events (rename+create+change
+ * on most filesystems) don't trigger N reloads. Returns a close
+ * handle. Tolerates the file or directory not yet existing.
+ */
+export function watchFlags() {
+    const flagsPath = getFlagsPath();
+    const flagsDir = join(flagsPath, "..");
+    let debounceTimer = null;
+    let stopped = false;
+    const reload = () => {
+        if (debounceTimer)
+            clearTimeout(debounceTimer);
+        debounceTimer = setTimeout(() => {
+            debounceTimer = null;
+            if (stopped)
+                return;
+            try {
+                loadFlags();
+            }
+            catch {
+                // loadFlags has its own try/catch for parse errors;
+                // this catch is belt-and-suspenders for fs errors.
+            }
+        }, 100);
+    };
+    // Watch the directory rather than the file directly — flags.json may not
+    // exist yet when watch is established, and editors / atomic writes
+    // (rename-into-place) lose direct file watches. The helper falls back to
+    // mtime polling when the dir is missing or fs.watch fails (Windows
+    // network drives, WSL bind mounts), and notices when the dir later appears.
+    const stopWatcher = watchDirectoryWithFallback(flagsDir, () => {
+        if (!stopped)
+            reload();
+    });
+    return () => {
+        stopped = true;
+        if (debounceTimer) {
+            clearTimeout(debounceTimer);
+            debounceTimer = null;
+        }
+        try {
+            stopWatcher();
+        }
+        catch {
+            /* ignore */
+        }
+    };
+}
 // ============================================================================
 // Kill Switch Helpers
 // ============================================================================
@@ -198,11 +341,18 @@ export function isWriteKillSwitchActive() {
 }
 /**
  * Assert write is allowed — throws if kill switch is active.
+ *
+ * The thrown error carries `code: "kill_switch_blocked"` so the recipe
+ * runner can categorise the resulting halt as `kill_switch` (rather than
+ * a generic `tool_threw`) and the dashboard pill row can flag it
+ * distinctly from real tool failures.
  */
 export function assertWriteAllowed(operation) {
     if (isWriteKillSwitchActive()) {
-        throw new Error(`Write operation blocked by kill switch: ${operation}. ` +
+        const err = new Error(`Write operation blocked by kill switch: ${operation}. ` +
             `Unset PATCHWORK_FLAG_KILL_SWITCH_WRITES or set kill-switch.writes=false to restore.`);
+        err.code = "kill_switch_blocked";
+        throw err;
     }
 }
 //# sourceMappingURL=featureFlags.js.map

package/dist/featureFlags.js.map

@@ -1 +1 @@
-{"version":3,"file":"featureFlags.js","sourceRoot":"","sources":["../src/featureFlags.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAkBjC,sCAAsC;AACtC,MAAM,aAAa,GAA6B,IAAI,GAAG,EAAE,CAAC;AAE1D,sDAAsD;AACtD,MAAM,WAAW,GAAyB,IAAI,GAAG,EAAE,CAAC;AAEpD,wBAAwB;AACxB,SAAS,YAAY;IACnB,OAAO,IAAI,CACT,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,YAAY,CAAC,EAC9D,QAAQ,EACR,YAAY,CACb,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,IAAiB;IAC5C,IAAI,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,iBAAiB,IAAI,CAAC,EAAE,yBAAyB,CAAC,CAAC;IACrE,CAAC;IACD,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;IACjC,gCAAgC;IAChC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;AAC9C,CAAC;AAED;;;;;GAKG;AACH,MAAM,sBAAsB,GAAqC,IAAI,GAAG,EAAE,CAAC;AAC3E,IAAI,SAAS,GAAG,KAAK,CAAC;AAEtB;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB;IAC/B,IAAI,SAAS;QAAE,OAAO;IACtB,KAAK,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,aAAa,CAAC,OAAO,EAAE,EAAE,CAAC;QACjD,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,SAAS;QACjC,MAAM,MAAM,GAAG,kBAAkB,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;QAC1E,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACnC,sBAAsB,CAAC,GAAG,CACxB,EAAE,EACF,MAAM,KAAK,SAAS;YAClB,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,WAAW,EAAE,KAAK,MAAM,CACtD,CAAC;IACJ,CAAC;IACD,SAAS,GAAG,IAAI,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB;IACrC,SAAS,GAAG,KAAK,CAAC;IAClB,sBAAsB,CAAC,KAAK,EAAE,CAAC;AACjC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,SAAS,CAAC,MAAc;IACtC,oBAAoB;IACpB,IAAI,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACvC,oEAAoE;QACpE,6EAA6E;QAC7E,uCAAuC;QACvC,IAAI,SAAS,IAAI,IAAI,EAAE,YAAY,EAAE,CAAC;YACpC,MAAM,MAAM,GAAG,sBAAsB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAClD,IAAI,MAAM,KAAK,SAAS;gBAAE,OAAO,MAAM,CAAC;YACxC,OAAO,WAAW,CAAC,GAAG,CAAC,MAAM,CAAE,CAAC;QAClC,CAAC;QACD,8DAA8D;QAC9D,MAAM,MAAM,GAAG,kBAAkB,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;QAC9E,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACnC,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,OAAO,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC;QAC3D,CAAC;QACD,OAAO,WAAW,CAAC,GAAG,CAAC,MAAM,CAAE,CAAC;IAClC,CAAC;IAED,yCAAyC;IACzC,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,OAAO,CAAC,MAAc,EAAE,KAAc,EAAE,OAAO,GAAG,KAAK;IACrE,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,0BAA0B,MAAM,GAAG,CAAC,CAAC;IACvD,CAAC;IAED,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAE/B,IAAI,OAAO,EAAE,CAAC;QACZ,YAAY,EAAE,CAAC;IACjB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS;IACvB,OAAO,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACvD,GAAG,IAAI;QACP,YAAY,EAAE,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC;KACjC,CAAC,CAAC,CAAC;AACN,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS;IACvB,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;IAC5B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACtB,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACxC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4B,CAAC;QAE1D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAClD,IAAI,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC3B,WAAW,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,sCAAsC;IACxC,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,YAAY;IACnB,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAE7B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,CAAC;IAED,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,KAAK,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,WAAW,CAAC,OAAO,EAAE,EAAE,CAAC;QAChD,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACnC,sCAAsC;QACtC,IAAI,IAAI,IAAI,KAAK,KAAK,IAAI,CAAC,YAAY,EAAE,CAAC;YACxC,MAAM,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC;QACrB,CAAC;IACH,CAAC;IAED,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AACvD,CAAC;AAED,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E,gDAAgD;AAChD,MAAM,CAAC,MAAM,kBAAkB,GAAG,oBAAoB,CAAC;AAEvD,qDAAqD;AACrD,MAAM,CAAC,MAAM,gBAAgB,GAAG,gBAAgB,CAAC;AAEjD,0BAA0B;AAC1B,YAAY,CAAC;IACX,EAAE,EAAE,kBAAkB;IACtB,WAAW,EACT,uGAAuG;IACzG,YAAY,EAAE,KAAK;IACnB,QAAQ,EAAE,QAAQ;IAClB,aAAa,EAAE,KAAK;IACpB,YAAY,EAAE,IAAI;CACnB,CAAC,CAAC;AAEH,YAAY,CAAC;IACX,EAAE,EAAE,gBAAgB;IACpB,WAAW,EAAE,4CAA4C;IACzD,YAAY,EAAE,KAAK;IACnB,QAAQ,EAAE,IAAI;IACd,aAAa,EAAE,IAAI;CACpB,CAAC,CAAC;AAEH,sCAAsC;AACtC,SAAS,EAAE,CAAC;AAEZ,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,uBAAuB;IACrC,OAAO,SAAS,CAAC,kBAAkB,CAAC,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,SAAiB;IAClD,IAAI,uBAAuB,EAAE,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CACb,2CAA2C,SAAS,IAAI;YACtD,qFAAqF,CACxF,CAAC;IACJ,CAAC;AACH,CAAC"}
+{"version":3,"file":"featureFlags.js","sourceRoot":"","sources":["../src/featureFlags.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC9D,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AACtE,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAkB3D,sCAAsC;AACtC,MAAM,aAAa,GAA6B,IAAI,GAAG,EAAE,CAAC;AAE1D,sDAAsD;AACtD,MAAM,WAAW,GAAyB,IAAI,GAAG,EAAE,CAAC;AAEpD,wBAAwB;AACxB,SAAS,YAAY;IACnB,OAAO,IAAI,CACT,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,YAAY,CAAC,EAC9D,QAAQ,EACR,YAAY,CACb,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,IAAiB;IAC5C,IAAI,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,iBAAiB,IAAI,CAAC,EAAE,yBAAyB,CAAC,CAAC;IACrE,CAAC;IACD,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;IACjC,gCAAgC;IAChC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;AAC9C,CAAC;AAED;;;;;GAKG;AACH,MAAM,sBAAsB,GAAqC,IAAI,GAAG,EAAE,CAAC;AAC3E,IAAI,SAAS,GAAG,KAAK,CAAC;AAEtB;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB;IAC/B,IAAI,SAAS;QAAE,OAAO;IACtB,KAAK,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,aAAa,CAAC,OAAO,EAAE,EAAE,CAAC;QACjD,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,SAAS;QACjC,MAAM,MAAM,GAAG,kBAAkB,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;QAC1E,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACnC,sBAAsB,CAAC,GAAG,CACxB,EAAE,EACF,MAAM,KAAK,SAAS;YAClB,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,WAAW,EAAE,KAAK,MAAM,CACtD,CAAC;IACJ,CAAC;IACD,SAAS,GAAG,IAAI,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB;IACrC,SAAS,GAAG,KAAK,CAAC;IAClB,sBAAsB,CAAC,KAAK,EAAE,CAAC;AACjC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,SAAS,CAAC,MAAc;IACtC,oBAAoB;IACpB,IAAI,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACvC,oEAAoE;QACpE,6EAA6E;QAC7E,uCAAuC;QACvC,IAAI,SAAS,IAAI,IAAI,EAAE,YAAY,EAAE,CAAC;YACpC,MAAM,MAAM,GAAG,sBAAsB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAClD,IAAI,MAAM,KAAK,SAAS;gBAAE,OAAO,MAAM,CAAC;YACxC,OAAO,WAAW,CAAC,GAAG,CAAC,MAAM,CAAE,CAAC;QAClC,CAAC;QACD,8DAA8D;QAC9D,MAAM,MAAM,GAAG,kBAAkB,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;QAC9E,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACnC,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,OAAO,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC;QAC3D,CAAC;QACD,OAAO,WAAW,CAAC,GAAG,CAAC,MAAM,CAAE,CAAC;IAClC,CAAC;IAED,yCAAyC;IACzC,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,cAAc,CAAC,MAAc;IAC3C,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAC7B,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACvC,IAAI,CAAC,IAAI,EAAE,YAAY;QAAE,OAAO,KAAK,CAAC;IACtC,OAAO,sBAAsB,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,SAAS,CAAC;AAC1D,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAc;IAC9C,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IACzC,MAAM,MAAM,GAAG,sBAAsB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAClD,OAAO,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC;AAC9C,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAC3B,MAAM,CAAS;IACf,WAAW,CAAU;IAErC,YAAY,MAAc,EAAE,WAAoB;QAC9C,KAAK,CACH,iBAAiB,MAAM,sBAAsB,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,GAAG;YAC5E,sCAAsC,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,KAAK;YACrF,2DAA2D,CAC9D,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;QACjC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;IACjC,CAAC;CACF;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,OAAO,CAAC,MAAc,EAAE,KAAc,EAAE,OAAO,GAAG,KAAK;IACrE,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,0BAA0B,MAAM,GAAG,CAAC,CAAC;IACvD,CAAC;IAED,uEAAuE;IACvE,wEAAwE;IACxE,wEAAwE;IACxE,qBAAqB;IACrB,IAAI,cAAc,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,sBAAsB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAClD,MAAM,IAAI,kBAAkB,CAAC,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC,CAAC;IACxD,CAAC;IAED,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAE/B,IAAI,OAAO,EAAE,CAAC;QACZ,YAAY,EAAE,CAAC;IACjB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS;IACvB,OAAO,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACvD,GAAG,IAAI;QACP,YAAY,EAAE,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC;KACjC,CAAC,CAAC,CAAC;AACN,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS;IACvB,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;IAC5B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACtB,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACxC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4B,CAAC;QAE1D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAClD,IAAI,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC3B,WAAW,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,sCAAsC;IACxC,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,YAAY;IACnB,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAE7B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,CAAC;IAED,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,KAAK,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,WAAW,CAAC,OAAO,EAAE,EAAE,CAAC;QAChD,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACnC,sCAAsC;QACtC,IAAI,IAAI,IAAI,KAAK,KAAK,IAAI,CAAC,YAAY,EAAE,CAAC;YACxC,MAAM,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC;QACrB,CAAC;IACH,CAAC;IAED,mBAAmB,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E,gDAAgD;AAChD,MAAM,CAAC,MAAM,kBAAkB,GAAG,oBAAoB,CAAC;AAEvD,qDAAqD;AACrD,MAAM,CAAC,MAAM,gBAAgB,GAAG,gBAAgB,CAAC;AAEjD,0BAA0B;AAC1B,YAAY,CAAC;IACX,EAAE,EAAE,kBAAkB;IACtB,WAAW,EACT,uGAAuG;IACzG,YAAY,EAAE,KAAK;IACnB,QAAQ,EAAE,QAAQ;IAClB,aAAa,EAAE,KAAK;IACpB,YAAY,EAAE,IAAI;CACnB,CAAC,CAAC;AAEH,YAAY,CAAC;IACX,EAAE,EAAE,gBAAgB;IACpB,WAAW,EAAE,4CAA4C;IACzD,YAAY,EAAE,KAAK;IACnB,QAAQ,EAAE,IAAI;IACd,aAAa,EAAE,IAAI;CACpB,CAAC,CAAC;AAEH,sCAAsC;AACtC,SAAS,EAAE,CAAC;AAEZ;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,UAAU;IACxB,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAEvC,IAAI,aAAa,GAAyC,IAAI,CAAC;IAC/D,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,MAAM,MAAM,GAAG,GAAS,EAAE;QACxB,IAAI,aAAa;YAAE,YAAY,CAAC,aAAa,CAAC,CAAC;QAC/C,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE;YAC9B,aAAa,GAAG,IAAI,CAAC;YACrB,IAAI,OAAO;gBAAE,OAAO;YACpB,IAAI,CAAC;gBACH,SAAS,EAAE,CAAC;YACd,CAAC;YAAC,MAAM,CAAC;gBACP,oDAAoD;gBACpD,mDAAmD;YACrD,CAAC;QACH,CAAC,EAAE,GAAG,CAAC,CAAC;IACV,CAAC,CAAC;IAEF,yEAAyE;IACzE,mEAAmE;IACnE,yEAAyE;IACzE,mEAAmE;IACnE,4EAA4E;IAC5E,MAAM,WAAW,GAAG,0BAA0B,CAAC,QAAQ,EAAE,GAAG,EAAE;QAC5D,IAAI,CAAC,OAAO;YAAE,MAAM,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,OAAO,GAAS,EAAE;QAChB,OAAO,GAAG,IAAI,CAAC;QACf,IAAI,aAAa,EAAE,CAAC;YAClB,YAAY,CAAC,aAAa,CAAC,CAAC;YAC5B,aAAa,GAAG,IAAI,CAAC;QACvB,CAAC;QACD,IAAI,CAAC;YACH,WAAW,EAAE,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACP,YAAY;QACd,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,uBAAuB;IACrC,OAAO,SAAS,CAAC,kBAAkB,CAAC,CAAC;AACvC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB,CAAC,SAAiB;IAClD,IAAI,uBAAuB,EAAE,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,IAAI,KAAK,CACnB,2CAA2C,SAAS,IAAI;YACtD,qFAAqF,CACxF,CAAC;QACD,GAAiC,CAAC,IAAI,GAAG,qBAAqB,CAAC;QAChE,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC"}

package/dist/fileLockSync.d.ts

@@ -0,0 +1,67 @@
+/**
+ * Tiny cross-process file mutex for synchronous critical sections.
+ *
+ * Used to wrap append-only JSONL writers (`decisionTraceLog`,
+ * `runLog`, `commitIssueLinkLog`) so two bridge processes sharing
+ * one `~/.claude/ide/` log directory can't interleave bytes within a
+ * single row.
+ *
+ * Why ad-hoc instead of `proper-lockfile`? proper-lockfile is the more
+ * featureful option (TTL refresh, retry jitter, async API) but adds a
+ * runtime dependency for a use case the bridge needs only synchronously
+ * in three call-sites. The pattern below — `openSync(file, "wx")` as
+ * the atomic lock primitive plus a stale-lock cleanup heuristic — is
+ * standard for shell-style flock without a native binding.
+ *
+ * ## Semantics
+ *
+ * `withFileLockSync(file, fn)`:
+ *
+ *   1. Attempts to create `${file}.lock` with `O_EXCL` (`flag: "wx"`).
+ *      First writer wins atomically — the kernel rejects EEXIST for
+ *      every other contender.
+ *   2. On EEXIST, polls with a short busy-wait (`Atomics.wait` would
+ *      need a shared SharedArrayBuffer across processes — out of scope;
+ *      hot-loop with `process.hrtime` instead, kernels schedule sleep
+ *      anyway under contention).
+ *   3. If the existing lock is older than `staleLockMs` (default 30s),
+ *      assumes the owner crashed and force-unlinks it before retrying.
+ *      The append-only JSONL writes the bridge does complete in <1ms in
+ *      practice, so 30s is generous.
+ *   4. Runs `fn()`, unlinks the lock in `finally`. Rethrows fn's
+ *      exception.
+ *
+ * Lock granularity is per-file (each log gets its own lock). At the
+ * bridge's write volume (≤ tens/min across all three logs) contention
+ * is effectively zero.
+ *
+ * ## Failure modes
+ *
+ * - **Deadlock-on-crash:** mitigated by the 30s stale-lock TTL. A bridge
+ *   that crashes mid-append leaves the lock until the next contender
+ *   notices it's stale and clears it. The first crash is invisible
+ *   (target file already written); subsequent contenders pay a 30s
+ *   penalty only if they happen to arrive within the window.
+ * - **TOCTOU on stale-lock unlink:** two processes both decide the lock
+ *   is stale and both `unlinkSync`. Second `unlinkSync` ENOENT is
+ *   swallowed. Both then race the `openSync("wx")` — one wins, the
+ *   other goes back to polling. No data corruption.
+ * - **NFS / non-POSIX FS:** O_EXCL is undefined on stale NFSv2; modern
+ *   NFS (≥ v3 with `noac`) and all local FS we ship on (apfs / ext4 /
+ *   ntfs) implement it correctly.
+ *
+ * @param file - The target file the caller is about to write. The lock
+ *   sentinel is `${file}.lock`.
+ * @param fn - Synchronous critical section. Holds the lock for its
+ *   entire duration.
+ * @param opts.timeoutMs - Max wait for the lock before throwing (default
+ *   5000). Use a small value — appends finish in <1ms in practice; a
+ *   timeout this far above the expected duration only fires if
+ *   something genuinely wrong happens.
+ * @param opts.staleLockMs - Age (ms) at which an existing lock is
+ *   considered abandoned and force-unlinked. Default 30000.
+ */
+export declare function withFileLockSync<T>(file: string, fn: () => T, opts?: {
+    timeoutMs?: number;
+    staleLockMs?: number;
+}): T;

package/dist/fileLockSync.js

@@ -0,0 +1,126 @@
+import { closeSync, openSync, statSync, unlinkSync } from "node:fs";
+/**
+ * Tiny cross-process file mutex for synchronous critical sections.
+ *
+ * Used to wrap append-only JSONL writers (`decisionTraceLog`,
+ * `runLog`, `commitIssueLinkLog`) so two bridge processes sharing
+ * one `~/.claude/ide/` log directory can't interleave bytes within a
+ * single row.
+ *
+ * Why ad-hoc instead of `proper-lockfile`? proper-lockfile is the more
+ * featureful option (TTL refresh, retry jitter, async API) but adds a
+ * runtime dependency for a use case the bridge needs only synchronously
+ * in three call-sites. The pattern below — `openSync(file, "wx")` as
+ * the atomic lock primitive plus a stale-lock cleanup heuristic — is
+ * standard for shell-style flock without a native binding.
+ *
+ * ## Semantics
+ *
+ * `withFileLockSync(file, fn)`:
+ *
+ *   1. Attempts to create `${file}.lock` with `O_EXCL` (`flag: "wx"`).
+ *      First writer wins atomically — the kernel rejects EEXIST for
+ *      every other contender.
+ *   2. On EEXIST, polls with a short busy-wait (`Atomics.wait` would
+ *      need a shared SharedArrayBuffer across processes — out of scope;
+ *      hot-loop with `process.hrtime` instead, kernels schedule sleep
+ *      anyway under contention).
+ *   3. If the existing lock is older than `staleLockMs` (default 30s),
+ *      assumes the owner crashed and force-unlinks it before retrying.
+ *      The append-only JSONL writes the bridge does complete in <1ms in
+ *      practice, so 30s is generous.
+ *   4. Runs `fn()`, unlinks the lock in `finally`. Rethrows fn's
+ *      exception.
+ *
+ * Lock granularity is per-file (each log gets its own lock). At the
+ * bridge's write volume (≤ tens/min across all three logs) contention
+ * is effectively zero.
+ *
+ * ## Failure modes
+ *
+ * - **Deadlock-on-crash:** mitigated by the 30s stale-lock TTL. A bridge
+ *   that crashes mid-append leaves the lock until the next contender
+ *   notices it's stale and clears it. The first crash is invisible
+ *   (target file already written); subsequent contenders pay a 30s
+ *   penalty only if they happen to arrive within the window.
+ * - **TOCTOU on stale-lock unlink:** two processes both decide the lock
+ *   is stale and both `unlinkSync`. Second `unlinkSync` ENOENT is
+ *   swallowed. Both then race the `openSync("wx")` — one wins, the
+ *   other goes back to polling. No data corruption.
+ * - **NFS / non-POSIX FS:** O_EXCL is undefined on stale NFSv2; modern
+ *   NFS (≥ v3 with `noac`) and all local FS we ship on (apfs / ext4 /
+ *   ntfs) implement it correctly.
+ *
+ * @param file - The target file the caller is about to write. The lock
+ *   sentinel is `${file}.lock`.
+ * @param fn - Synchronous critical section. Holds the lock for its
+ *   entire duration.
+ * @param opts.timeoutMs - Max wait for the lock before throwing (default
+ *   5000). Use a small value — appends finish in <1ms in practice; a
+ *   timeout this far above the expected duration only fires if
+ *   something genuinely wrong happens.
+ * @param opts.staleLockMs - Age (ms) at which an existing lock is
+ *   considered abandoned and force-unlinked. Default 30000.
+ */
+export function withFileLockSync(file, fn, opts = {}) {
+    const lockFile = `${file}.lock`;
+    const timeoutMs = opts.timeoutMs ?? 5000;
+    const staleLockMs = opts.staleLockMs ?? 30_000;
+    const deadline = Date.now() + timeoutMs;
+    let lockFd = null;
+    while (lockFd === null) {
+        try {
+            // O_EXCL — atomic create; first caller wins.
+            lockFd = openSync(lockFile, "wx", 0o600);
+        }
+        catch (err) {
+            const code = err.code;
+            if (code !== "EEXIST")
+                throw err;
+            // Stale-lock cleanup. Best-effort: another contender may unlink
+            // ours simultaneously; that race resolves benignly (next openSync
+            // either wins or sees EEXIST again).
+            try {
+                const stat = statSync(lockFile);
+                if (Date.now() - stat.mtimeMs > staleLockMs) {
+                    try {
+                        unlinkSync(lockFile);
+                    }
+                    catch {
+                        /* already gone — another contender beat us to the cleanup */
+                    }
+                    continue;
+                }
+            }
+            catch {
+                // statSync ENOENT — lock cleared between EEXIST and stat; retry
+                // immediately.
+                continue;
+            }
+            if (Date.now() > deadline) {
+                throw new Error(`withFileLockSync: timed out after ${timeoutMs}ms waiting for ${lockFile}`);
+            }
+            // Busy-spin for ~5ms via hrtime. Node has no sync sleep; under
+            // contention the kernel preempts us, so this isn't actually a hot
+            // loop in practice (and tests can pass a 0ms timeout for the
+            // "already locked" case).
+            const spinUntil = process.hrtime.bigint() + 5000000n; // 5ms
+            while (process.hrtime.bigint() < spinUntil) {
+                /* yield */
+            }
+        }
+    }
+    try {
+        closeSync(lockFd);
+        return fn();
+    }
+    finally {
+        try {
+            unlinkSync(lockFile);
+        }
+        catch {
+            /* lock cleared by stale-lock cleanup in another process; ok */
+        }
+    }
+}
+//# sourceMappingURL=fileLockSync.js.map

package/dist/fileLockSync.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fileLockSync.js","sourceRoot":"","sources":["../src/fileLockSync.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAEpE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8DG;AACH,MAAM,UAAU,gBAAgB,CAC9B,IAAY,EACZ,EAAW,EACX,OAAqD,EAAE;IAEvD,MAAM,QAAQ,GAAG,GAAG,IAAI,OAAO,CAAC;IAChC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC;IACzC,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,MAAM,CAAC;IAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;IAExC,IAAI,MAAM,GAAkB,IAAI,CAAC;IACjC,OAAO,MAAM,KAAK,IAAI,EAAE,CAAC;QACvB,IAAI,CAAC;YACH,6CAA6C;YAC7C,MAAM,GAAG,QAAQ,CAAC,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,GAAI,GAA6B,CAAC,IAAI,CAAC;YACjD,IAAI,IAAI,KAAK,QAAQ;gBAAE,MAAM,GAAG,CAAC;YACjC,gEAAgE;YAChE,kEAAkE;YAClE,qCAAqC;YACrC,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBAChC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO,GAAG,WAAW,EAAE,CAAC;oBAC5C,IAAI,CAAC;wBACH,UAAU,CAAC,QAAQ,CAAC,CAAC;oBACvB,CAAC;oBAAC,MAAM,CAAC;wBACP,6DAA6D;oBAC/D,CAAC;oBACD,SAAS;gBACX,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;gBAChE,eAAe;gBACf,SAAS;YACX,CAAC;YACD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;gBAC1B,MAAM,IAAI,KAAK,CACb,qCAAqC,SAAS,kBAAkB,QAAQ,EAAE,CAC3E,CAAC;YACJ,CAAC;YACD,+DAA+D;YAC/D,kEAAkE;YAClE,6DAA6D;YAC7D,0BAA0B;YAC1B,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,QAAU,CAAC,CAAC,MAAM;YAC9D,OAAO,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;gBAC3C,WAAW;YACb,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,SAAS,CAAC,MAAM,CAAC,CAAC;QAClB,OAAO,EAAE,EAAE,CAAC;IACd,CAAC;YAAS,CAAC;QACT,IAAI,CAAC;YACH,UAAU,CAAC,QAAQ,CAAC,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACP,+DAA+D;QACjE,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/fp/automationInterpreter.d.ts

@@ -10,6 +10,12 @@ import { type ToolResult } from "./result.js";
 /**
  * Returns true if `value` matches the condition pattern.
  * Negation via "!" prefix. Missing pattern → always true.
+ *
+ * On Windows, file paths arrive as `C:\Users\foo\src\bar.ts` while users
+ * write POSIX-style globs (`src/**\/*.ts`). minimatch is strict on `/` and
+ * NTFS is case-insensitive, so without normalisation onFileSave/onFileChanged
+ * hooks silently never fire on Windows. Normalise backslashes to forward
+ * slashes on both sides and pass `nocase` on win32.
  */
 export declare function matchesCondition(pattern: string | undefined, value: string): boolean;
 /**

package/dist/fp/automationInterpreter.js

@@ -16,15 +16,28 @@ function emptyAcc(state) {
 /**
  * Returns true if `value` matches the condition pattern.
  * Negation via "!" prefix. Missing pattern → always true.
+ *
+ * On Windows, file paths arrive as `C:\Users\foo\src\bar.ts` while users
+ * write POSIX-style globs (`src/**\/*.ts`). minimatch is strict on `/` and
+ * NTFS is case-insensitive, so without normalisation onFileSave/onFileChanged
+ * hooks silently never fire on Windows. Normalise backslashes to forward
+ * slashes on both sides and pass `nocase` on win32.
  */
 export function matchesCondition(pattern, value) {
     if (pattern === undefined || pattern === "")
         return true;
+    const isWin = process.platform === "win32";
+    const normValue = isWin ? value.replace(/\\/g, "/") : value;
+    const opts = isWin ? { dot: true, nocase: true } : { dot: true };
     try {
         if (pattern.startsWith("!")) {
-            return !minimatch(value, pattern.slice(1), { dot: true });
+            const inner = isWin
+                ? pattern.slice(1).replace(/\\/g, "/")
+                : pattern.slice(1);
+            return !minimatch(normValue, inner, opts);
         }
-        return minimatch(value, pattern, { dot: true });
+        const normPattern = isWin ? pattern.replace(/\\/g, "/") : pattern;
+        return minimatch(normValue, normPattern, opts);
     }
     catch {
         return false;