podwatch 1.1.8 → 1.2.0

package/dist/updater.js

@@ -4,17 +4,18 @@
  *
  * On plugin startup (called from register()), schedules a non-blocking update
  * check after a 30-second delay. If a new version is available on npm (or the
- * Podwatch dashboard fallback), it downloads via `npm pack`, extracts to the
- * extensions directory, writes a restart sentinel, and triggers a gateway
- * restart via the OS service manager (systemd / launchctl).
+ * Podwatch dashboard fallback), it downloads the tarball via fetch(), verifies
+ * integrity, extracts to the extensions directory, and writes a restart sentinel.
  *
  * Safety:
  * - 30s startup delay (don't slow boot)
  * - 24-hour cooldown between checks (cached in a local file)
  * - 5s timeout on all HTTP requests
- * - 120s timeout on npm pack command
  * - All errors caught — never bricks the running plugin
- * - Logs all activity for debugging
+ * - Rollback: backs up old dist/ before replacing, restores on extraction failure
+ * - Plugin NEVER restarts its host — only writes restart sentinel
+ * - Auto-update defaults to ON (set autoUpdate: false to disable)
+ * - No handleUrgentUpdate — removed as remote code execution vector
  */
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
@@ -22,9 +23,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AUTO_UPDATE_CACHE_FILE = void 0;
 exports.resolveStateDir = resolveStateDir;
-exports.resolveGatewaySystemdServiceName = resolveGatewaySystemdServiceName;
-exports.resolveGatewayLaunchAgentLabel = resolveGatewayLaunchAgentLabel;
-exports.normalizeSystemdUnit = normalizeSystemdUnit;
+exports.getInstalledVersion = getInstalledVersion;
 exports.compareVersions = compareVersions;
 exports.shouldCheckForUpdate = shouldCheckForUpdate;
 exports.writeCacheTimestamp = writeCacheTimestamp;
@@ -32,26 +31,33 @@ exports.checkForUpdate = checkForUpdate;
 exports.writeRestartSentinel = writeRestartSentinel;
 exports.parseSriHash = parseSriHash;
 exports.verifyTarballIntegrity = verifyTarballIntegrity;
+exports.backupDist = backupDist;
+exports.restoreFromBackup = restoreFromBackup;
+exports.cleanupBackup = cleanupBackup;
 exports.downloadTarball = downloadTarball;
 exports.installFromTarball = installFromTarball;
 exports.executeUpdate = executeUpdate;
+exports.verifyNewDist = verifyNewDist;
 exports.waitForIdleWindow = waitForIdleWindow;
 exports.triggerGatewayRestart = triggerGatewayRestart;
-exports.handleUrgentUpdate = handleUrgentUpdate;
+exports.acquireUpdateLock = acquireUpdateLock;
+exports.releaseUpdateLock = releaseUpdateLock;
 exports.scheduleUpdateCheck = scheduleUpdateCheck;
 exports.runUpdateCheck = runUpdateCheck;
 const node_child_process_1 = require("node:child_process");
+const transmitter_js_1 = require("./transmitter.js");
+const activity_tracker_js_1 = require("./activity-tracker.js");
 const node_crypto_1 = __importDefault(require("node:crypto"));
 const node_fs_1 = __importDefault(require("node:fs"));
 const node_path_1 = __importDefault(require("node:path"));
 const node_os_1 = __importDefault(require("node:os"));
-const activity_tracker_js_1 = require("./activity-tracker.js");
 // ---------------------------------------------------------------------------
 // Constants
 // ---------------------------------------------------------------------------
 const NPM_REGISTRY_URL = "https://registry.npmjs.org/podwatch/latest";
+const NPM_TARBALL_URL_PREFIX = "https://registry.npmjs.org/podwatch/-/podwatch-";
 const CHECK_TIMEOUT_MS = 5_000;
-const NPM_PACK_TIMEOUT_MS = 120_000;
+const DOWNLOAD_TIMEOUT_MS = 60_000;
 const SPAWN_TIMEOUT_MS = 15_000;
 const STARTUP_DELAY_MS = 30_000;
 const COOLDOWN_MS = 24 * 60 * 60 * 1000; // 24 hours
@@ -61,6 +67,8 @@ const DEFER_INTERVAL_MS = 5 * 60 * 1000; // Re-check every 5 minutes
 const MAX_DEFER_MS = 2 * 60 * 60 * 1000; // Max 2 hours of deferral
 const CACHE_DIR = node_path_1.default.join(process.env.HOME ?? process.env.USERPROFILE ?? "/tmp", ".openclaw", "extensions", "podwatch");
 exports.AUTO_UPDATE_CACHE_FILE = node_path_1.default.join(CACHE_DIR, ".last-update-check");
+const UPDATE_LOCK_FILE = node_path_1.default.join(CACHE_DIR, ".update-lock");
+const UPDATE_LOCK_STALE_MS = 30 * 60 * 1000; // 30 minutes — stale lock threshold
 // ---------------------------------------------------------------------------
 // State dir resolution (mirrors OpenClaw's resolveStateDir)
 // ---------------------------------------------------------------------------
@@ -76,48 +84,23 @@ function resolveStateDir() {
     return node_path_1.default.join(home, ".openclaw");
 }
 // ---------------------------------------------------------------------------
-// Service name resolution (mirrors OpenClaw's constants)
+// Version comparison
 // ---------------------------------------------------------------------------
 /**
- * Normalize a gateway profile string. Returns null for empty/default.
+ * Read the installed plugin version from disk (extensions dir package.json).
+ * Returns null if the file can't be read.
  */
-function normalizeGatewayProfile(profile) {
-    const trimmed = profile?.trim();
-    if (!trimmed || trimmed.toLowerCase() === "default")
+function getInstalledVersion() {
+    try {
+        const extensionsDir = node_path_1.default.join(process.env.HOME ?? process.env.USERPROFILE ?? "/tmp", ".openclaw", "extensions", "podwatch");
+        const pkgPath = node_path_1.default.join(extensionsDir, "package.json");
+        const pkg = JSON.parse(node_fs_1.default.readFileSync(pkgPath, "utf8"));
+        return typeof pkg.version === "string" ? pkg.version : null;
+    }
+    catch {
         return null;
-    return trimmed;
-}
-/**
- * Resolve the systemd service name for the gateway.
- */
-function resolveGatewaySystemdServiceName(profile) {
-    const normalized = normalizeGatewayProfile(profile);
-    const suffix = normalized ? `-${normalized}` : "";
-    if (!suffix)
-        return "openclaw-gateway";
-    return `openclaw-gateway${suffix}`;
-}
-/**
- * Resolve the launchd label for the gateway.
- */
-function resolveGatewayLaunchAgentLabel(profile) {
-    const normalized = normalizeGatewayProfile(profile);
-    if (!normalized)
-        return "ai.openclaw.gateway";
-    return `ai.openclaw.${normalized}`;
-}
-/**
- * Normalize a systemd unit name. Appends .service if missing.
- */
-function normalizeSystemdUnit(raw, profile) {
-    const unit = raw?.trim();
-    if (!unit)
-        return `${resolveGatewaySystemdServiceName(profile)}.service`;
-    return unit.endsWith(".service") ? unit : `${unit}.service`;
+    }
 }
-// ---------------------------------------------------------------------------
-// Version comparison
-// ---------------------------------------------------------------------------
 /**
  * Compare two semver-like version strings.
  * Returns positive if remote > local, negative if local > remote, 0 if equal.
@@ -186,11 +169,13 @@ async function checkForUpdate(currentVersion, endpoint) {
                 const cmp = compareVersions(currentVersion, data.version);
                 // npm registry provides integrity as SRI string at dist.integrity
                 const integrity = typeof data.dist?.integrity === "string" ? data.dist.integrity : undefined;
+                const tarballUrl = typeof data.dist?.tarball === "string" ? data.dist.tarball : undefined;
                 return {
                     available: cmp > 0,
                     remoteVersion: data.version,
                     source: "npm",
                     integrityHash: integrity,
+                    tarballUrl,
                 };
             }
         }
@@ -293,44 +278,93 @@ function verifyTarballIntegrity(tarballPath, expectedHash) {
         };
     }
 }
+// ---------------------------------------------------------------------------
+// Rollback helpers
+// ---------------------------------------------------------------------------
+/**
+ * Back up the existing dist/ directory before replacing it.
+ * Returns the backup path, or null if no dist/ exists.
+ */
+function backupDist(extensionsDir) {
+    const distDir = node_path_1.default.join(extensionsDir, "dist");
+    if (!node_fs_1.default.existsSync(distDir))
+        return null;
+    const backupDir = node_path_1.default.join(extensionsDir, "dist.backup");
+    try {
+        // Remove stale backup if it exists
+        if (node_fs_1.default.existsSync(backupDir)) {
+            node_fs_1.default.rmSync(backupDir, { recursive: true, force: true });
+        }
+        node_fs_1.default.renameSync(distDir, backupDir);
+        return backupDir;
+    }
+    catch (err) {
+        console.warn("[podwatch/updater] Failed to backup dist/:", err);
+        return null;
+    }
+}
+/**
+ * Restore dist/ from backup after a failed extraction.
+ */
+function restoreFromBackup(extensionsDir, backupDir) {
+    try {
+        const distDir = node_path_1.default.join(extensionsDir, "dist");
+        // Remove the failed extraction
+        if (node_fs_1.default.existsSync(distDir)) {
+            node_fs_1.default.rmSync(distDir, { recursive: true, force: true });
+        }
+        node_fs_1.default.renameSync(backupDir, distDir);
+        return true;
+    }
+    catch (err) {
+        console.error("[podwatch/updater] Failed to restore dist/ from backup:", err);
+        return false;
+    }
+}
 /**
- * Download the latest podwatch tarball via npm pack.
- * Returns the tarball path on success for integrity verification.
+ * Clean up backup after successful extraction.
  */
-function downloadTarball() {
+function cleanupBackup(backupDir) {
+    try {
+        if (node_fs_1.default.existsSync(backupDir)) {
+            node_fs_1.default.rmSync(backupDir, { recursive: true, force: true });
+        }
+    }
+    catch {
+        // Best-effort cleanup
+    }
+}
+/**
+ * Download the podwatch tarball via fetch() from the npm registry URL.
+ * No shell commands needed — pure HTTP download.
+ */
+async function downloadTarball(version, tarballUrl) {
     let tmpDir = null;
     try {
-        // 1. Create temp dir for npm pack
+        // 1. Create temp dir
         tmpDir = node_fs_1.default.mkdtempSync(node_path_1.default.join(node_os_1.default.tmpdir(), "podwatch-update-"));
-        // 2. npm pack podwatch (downloads latest from registry)
-        const packResult = (0, node_child_process_1.spawnSync)("npm", ["pack", "podwatch", "--pack-destination", tmpDir], {
-            encoding: "utf8",
-            timeout: NPM_PACK_TIMEOUT_MS,
-            cwd: tmpDir,
+        // 2. Determine download URL
+        const url = tarballUrl ?? `${NPM_TARBALL_URL_PREFIX}${version ?? "latest"}.tgz`;
+        // 3. Fetch the tarball
+        const response = await fetch(url, {
+            signal: AbortSignal.timeout(DOWNLOAD_TIMEOUT_MS),
         });
-        if (packResult.error || packResult.status !== 0) {
+        if (!response.ok) {
             return {
                 success: false,
-                stdout: packResult.stdout,
-                stderr: packResult.stderr,
-                error: packResult.error?.message ?? `npm pack exited with status ${packResult.status}`,
-                tmpDir,
-            };
-        }
-        // Find the tarball filename from stdout (npm pack prints the filename)
-        const tarballName = packResult.stdout.trim().split("\n").pop()?.trim();
-        if (!tarballName) {
-            return {
-                success: false,
-                stdout: packResult.stdout,
-                error: "npm pack did not output a tarball filename",
+                error: `Tarball download failed: HTTP ${response.status}`,
                 tmpDir,
             };
         }
+        const arrayBuffer = await response.arrayBuffer();
+        const buffer = Buffer.from(arrayBuffer);
+        // 4. Write to temp file
+        const tarballName = `podwatch-${version ?? "latest"}.tgz`;
         const tarballPath = node_path_1.default.join(tmpDir, tarballName);
+        node_fs_1.default.writeFileSync(tarballPath, buffer);
         return {
             success: true,
-            stdout: `Downloaded ${tarballName}`,
+            stdout: `Downloaded ${tarballName} (${buffer.length} bytes)`,
             tarballPath,
             tmpDir,
         };
@@ -345,23 +379,27 @@ function downloadTarball() {
 }
 /**
  * Install from a previously downloaded tarball by extracting to the extensions dir.
+ * Includes rollback: backs up old dist/ before extraction, restores on failure.
  */
 function installFromTarball(tarballPath) {
     const extensionsDir = node_path_1.default.join(process.env.HOME ?? process.env.USERPROFILE ?? "/tmp", ".openclaw", "extensions", "podwatch");
+    let backupDir = null;
     try {
-        // 1. Clean old dist before extracting
-        const distDir = node_path_1.default.join(extensionsDir, "dist");
-        if (node_fs_1.default.existsSync(distDir)) {
-            node_fs_1.default.rmSync(distDir, { recursive: true, force: true });
-        }
-        // 2. Ensure extensions dir exists
+        // 1. Ensure extensions dir exists
         node_fs_1.default.mkdirSync(extensionsDir, { recursive: true });
+        // 2. Backup existing dist/ before replacing
+        backupDir = backupDist(extensionsDir);
         // 3. Extract tarball — npm pack creates tarballs with a "package/" prefix
         const extractResult = (0, node_child_process_1.spawnSync)("tar", ["xzf", tarballPath, "--strip-components=1", "-C", extensionsDir], {
             encoding: "utf8",
             timeout: 30_000,
         });
         if (extractResult.error || extractResult.status !== 0) {
+            // Rollback on extraction failure
+            if (backupDir) {
+                restoreFromBackup(extensionsDir, backupDir);
+                console.warn("[podwatch/updater] Extraction failed — rolled back to previous version.");
+            }
             return {
                 success: false,
                 stdout: extractResult.stdout,
@@ -369,6 +407,9 @@ function installFromTarball(tarballPath) {
                 error: extractResult.error?.message ?? `tar extract exited with status ${extractResult.status}`,
             };
         }
+        // 4. Leave backup in place — caller (runUpdateCheck) cleans up after
+        //    verifyNewDist() confirms the new code works. Stale backups from
+        //    prior runs are handled by backupDist() which removes them first.
         const tarballName = node_path_1.default.basename(tarballPath);
         return {
             success: true,
@@ -376,6 +417,11 @@ function installFromTarball(tarballPath) {
         };
     }
     catch (err) {
+        // Rollback on any error
+        if (backupDir) {
+            restoreFromBackup(extensionsDir, backupDir);
+            console.warn("[podwatch/updater] Install failed — rolled back to previous version.");
+        }
         return {
             success: false,
             error: err instanceof Error ? err.message : String(err),
@@ -383,39 +429,92 @@ function installFromTarball(tarballPath) {
     }
 }
 /**
- * Download and install the latest podwatch plugin via npm pack + extract.
+ * Download and install the latest podwatch plugin via fetch + extract.
  * Legacy single-step function — delegates to downloadTarball + installFromTarball.
- *
- * Steps:
- * 1. `npm pack podwatch` in a temp dir to get the tarball
- * 2. Clean old dist in the extensions directory
- * 3. Extract tarball contents to ~/.openclaw/extensions/podwatch/
  */
 function executeUpdate() {
-    const download = downloadTarball();
+    // executeUpdate is sync for backward compat — use spawnSync-based fallback
+    const extensionsDir = node_path_1.default.join(process.env.HOME ?? process.env.USERPROFILE ?? "/tmp", ".openclaw", "extensions", "podwatch");
+    let tmpDir = null;
     try {
-        if (!download.success || !download.tarballPath) {
+        tmpDir = node_fs_1.default.mkdtempSync(node_path_1.default.join(node_os_1.default.tmpdir(), "podwatch-update-"));
+        // Use npx npm pack as sync fallback (downloadTarball is async)
+        const packResult = (0, node_child_process_1.spawnSync)("npx", ["-y", "npm", "pack", "podwatch", "--pack-destination", tmpDir], {
+            encoding: "utf8",
+            timeout: 120_000,
+            cwd: tmpDir,
+        });
+        if (packResult.error || packResult.status !== 0) {
+            return {
+                success: false,
+                stdout: packResult.stdout,
+                stderr: packResult.stderr,
+                error: packResult.error?.message ?? `npx npm pack exited with status ${packResult.status}`,
+            };
+        }
+        const tarballName = packResult.stdout.trim().split("\n").pop()?.trim();
+        if (!tarballName) {
             return {
                 success: false,
-                stdout: download.stdout,
-                stderr: download.stderr,
-                error: download.error ?? "Download failed",
+                stdout: packResult.stdout,
+                error: "npm pack did not output a tarball filename",
             };
         }
-        return installFromTarball(download.tarballPath);
+        const tarballPath = node_path_1.default.join(tmpDir, tarballName);
+        return installFromTarball(tarballPath);
+    }
+    catch (err) {
+        return {
+            success: false,
+            error: err instanceof Error ? err.message : String(err),
+        };
     }
     finally {
-        // Cleanup temp dir
-        if (download.tmpDir) {
+        if (tmpDir) {
             try {
-                node_fs_1.default.rmSync(download.tmpDir, { recursive: true, force: true });
-            }
-            catch {
-                // Best-effort cleanup
+                node_fs_1.default.rmSync(tmpDir, { recursive: true, force: true });
             }
+            catch { /* best-effort */ }
         }
     }
 }
+/**
+ * Verify that the newly installed dist/index.js is loadable.
+ * Tries to require() the entry point — if it throws, the new code is broken.
+ * Returns a detailed result indicating success or failure reason.
+ */
+function verifyNewDist(extensionsDir) {
+    const entryPoint = node_path_1.default.join(extensionsDir, "dist", "index.js");
+    try {
+        if (!node_fs_1.default.existsSync(entryPoint)) {
+            return { ok: false, error: "dist/index.js not found" };
+        }
+        // Use a child process to verify — don't pollute our own module cache
+        // Timeout set to 15s to allow for reasonable module initialization
+        const result = (0, node_child_process_1.spawnSync)(process.execPath, ["-e", `try { require(${JSON.stringify(entryPoint)}); process.exit(0); } catch(e) { console.error(e.message); process.exit(1); }`], { encoding: "utf8", timeout: 15_000 });
+        // Check for crash signals (SIGSEGV, SIGABRT, etc.)
+        if (result.signal) {
+            return { ok: false, signal: result.signal, error: `Process killed by signal: ${result.signal}` };
+        }
+        // Check for timeout
+        if (result.error?.message?.includes("ETIMEDOUT") || result.error?.message?.includes("timed out")) {
+            return { ok: false, timedOut: true, error: "Module load timed out after 15s" };
+        }
+        // Check for spawn errors
+        if (result.error) {
+            return { ok: false, error: result.error.message };
+        }
+        // Check exit code
+        if (result.status !== 0) {
+            const stderr = result.stderr?.trim();
+            return { ok: false, error: stderr || `Exit code: ${result.status}` };
+        }
+        return { ok: true };
+    }
+    catch (err) {
+        return { ok: false, error: err instanceof Error ? err.message : String(err) };
+    }
+}
 // ---------------------------------------------------------------------------
 // Graceful idle window — defer restart until agent is inactive
 // ---------------------------------------------------------------------------
@@ -449,50 +548,60 @@ async function waitForIdleWindow(logger) {
     return true;
 }
 /**
- * Trigger a gateway restart using the OS service manager directly.
- * Mirrors OpenClaw's triggerOpenClawRestart logic.
+ * Resolve the systemd service name for the gateway.
+ */
+function resolveGatewayServiceName(profile) {
+    const trimmed = profile?.trim();
+    const normalized = (!trimmed || trimmed.toLowerCase() === "default") ? null : trimmed;
+    const suffix = normalized ? `-${normalized}` : "";
+    return `openclaw-gateway${suffix}.service`;
+}
+/**
+ * Trigger a gateway restart using the OS service manager.
+ *
+ * Safety improvements over original:
+ * - Only called AFTER verifyNewDist() confirms the new code loads
+ * - Only called AFTER integrity verification passed
+ * - Only called AFTER rollback backup is in place
+ * - Single attempt — if restart fails, logs error and moves on (no retry loop)
  *
- * Linux: systemctl --user restart <unit> (user first, then system fallback)
+ * Linux: systemctl --user restart <unit>
  * macOS: launchctl kickstart -k gui/<uid>/<label>
- * Fallback: log a manual restart message
  */
 function triggerGatewayRestart(logger) {
     const tried = [];
     if (process.platform === "linux") {
-        const unit = normalizeSystemdUnit(process.env.OPENCLAW_SYSTEMD_UNIT, process.env.OPENCLAW_PROFILE);
-        // Try user-level systemctl first
-        const userArgs = ["--user", "restart", unit];
-        tried.push(`systemctl ${userArgs.join(" ")}`);
-        const userRestart = (0, node_child_process_1.spawnSync)("systemctl", userArgs, {
+        const unit = resolveGatewayServiceName(process.env.OPENCLAW_PROFILE);
+        // Try user-level systemctl
+        const args = ["--user", "restart", unit];
+        tried.push(`systemctl ${args.join(" ")}`);
+        const result = (0, node_child_process_1.spawnSync)("systemctl", args, {
             encoding: "utf8",
             timeout: SPAWN_TIMEOUT_MS,
         });
-        if (!userRestart.error && userRestart.status === 0) {
+        if (!result.error && result.status === 0) {
             logger.info("[podwatch/updater] Gateway restarted via systemctl --user.");
             return { ok: true, method: "systemd", tried };
         }
-        // Fall back to system-level systemctl
-        const systemArgs = ["restart", unit];
-        tried.push(`systemctl ${systemArgs.join(" ")}`);
-        const systemRestart = (0, node_child_process_1.spawnSync)("systemctl", systemArgs, {
+        // Single fallback: system-level
+        const sysArgs = ["restart", unit];
+        tried.push(`systemctl ${sysArgs.join(" ")}`);
+        const sysResult = (0, node_child_process_1.spawnSync)("systemctl", sysArgs, {
             encoding: "utf8",
             timeout: SPAWN_TIMEOUT_MS,
         });
-        if (!systemRestart.error && systemRestart.status === 0) {
+        if (!sysResult.error && sysResult.status === 0) {
             logger.info("[podwatch/updater] Gateway restarted via systemctl (system).");
             return { ok: true, method: "systemd", tried };
         }
-        // Both failed
-        const detail = [
-            `user: ${userRestart.error?.message ?? `exit ${userRestart.status}`}`,
-            `system: ${systemRestart.error?.message ?? `exit ${systemRestart.status}`}`,
-        ].join("; ");
-        logger.error(`[podwatch/updater] systemctl restart failed: ${detail}. Please restart the gateway manually.`);
+        const detail = `user: ${result.error?.message ?? `exit ${result.status}`}; system: ${sysResult.error?.message ?? `exit ${sysResult.status}`}`;
+        logger.warn(`[podwatch/updater] Could not restart gateway: ${detail}. Restart manually to activate update.`);
         return { ok: false, method: "systemd", detail, tried };
     }
     if (process.platform === "darwin") {
-        const label = process.env.OPENCLAW_LAUNCHD_LABEL ||
-            resolveGatewayLaunchAgentLabel(process.env.OPENCLAW_PROFILE);
+        const profile = process.env.OPENCLAW_PROFILE?.trim();
+        const normalized = (!profile || profile.toLowerCase() === "default") ? null : profile;
+        const label = process.env.OPENCLAW_LAUNCHD_LABEL || (normalized ? `ai.openclaw.${normalized}` : "ai.openclaw.gateway");
         const uid = typeof process.getuid === "function" ? process.getuid() : undefined;
         const target = uid !== undefined ? `gui/${uid}/${label}` : label;
         const args = ["kickstart", "-k", target];
@@ -506,97 +615,58 @@ function triggerGatewayRestart(logger) {
             return { ok: true, method: "launchctl", tried };
         }
         const detail = res.error?.message ?? `exit ${res.status}`;
-        logger.error(`[podwatch/updater] launchctl restart failed: ${detail}. Please restart the gateway manually.`);
+        logger.warn(`[podwatch/updater] Could not restart gateway: ${detail}. Restart manually to activate update.`);
         return { ok: false, method: "launchctl", detail, tried };
     }
-    // Unsupported platform
-    logger.warn(`[podwatch/updater] Unsupported platform "${process.platform}" for auto-restart. Please restart the gateway manually.`);
-    return {
-        ok: false,
-        method: "unsupported",
-        detail: `unsupported platform: ${process.platform}`,
-        tried,
-    };
+    logger.info(`[podwatch/updater] Platform "${process.platform}" — restart manually to activate update.`);
+    return { ok: false, method: "unsupported", detail: `platform: ${process.platform}`, tried };
 }
 // ---------------------------------------------------------------------------
-// Urgent update trigger (called from transmitter when API signals urgent)
+// Update lock (prevents concurrent update attempts)
 // ---------------------------------------------------------------------------
-/** Stored references for triggering urgent updates from the transmitter. */
-let urgentUpdateState = null;
 /**
- * Handle an urgent update signal from the Podwatch API.
- * Bypasses the 24-hour cooldown and triggers an immediate update check.
- * Called by the transmitter when the API response includes { update: { urgent: true } }.
+ * Acquire an exclusive update lock. Returns true if acquired, false if
+ * another update is already in progress (or the lock is stale and was reclaimed).
  */
-async function handleUrgentUpdate(signalVersion, logger) {
-    if (!urgentUpdateState) {
-        logger.warn("[podwatch/updater] Urgent update signal received but updater not initialized.");
-        return;
-    }
-    const { currentVersion, endpoint, options } = urgentUpdateState;
-    // Skip if autoUpdate is disabled
-    if (options.autoUpdate === false) {
-        logger.info("[podwatch/updater] Urgent update signal received but auto-update is disabled.");
-        return;
-    }
-    // Skip if the signaled version is not newer
-    if (compareVersions(currentVersion, signalVersion) <= 0) {
-        logger.info(`[podwatch/updater] Urgent update signal for v${signalVersion} but already at v${currentVersion}. Skipping.`);
-        return;
-    }
-    logger.info(`[podwatch/updater] Urgent update signal received for v${signalVersion}. Bypassing cooldown...`);
-    // Run the update check immediately (bypasses shouldCheckForUpdate cooldown)
+function acquireUpdateLock() {
     try {
-        const result = await checkForUpdate(currentVersion, endpoint);
-        writeCacheTimestamp();
-        if (!result || !result.available) {
-            logger.info("[podwatch/updater] Urgent check: no update available.");
-            return;
-        }
-        if (!result.integrityHash) {
-            logger.warn(`[podwatch/updater] Urgent check: no integrity hash for v${result.remoteVersion}. Skipping.`);
-            return;
-        }
-        logger.info(`[podwatch/updater] Urgent update: v${currentVersion} → v${result.remoteVersion}. Downloading...`);
-        const download = downloadTarball();
-        if (!download.success || !download.tarballPath) {
-            logger.error(`[podwatch/updater] Urgent update download failed: ${download.error}`);
-            if (download.tmpDir) {
-                try {
-                    node_fs_1.default.rmSync(download.tmpDir, { recursive: true, force: true });
+        node_fs_1.default.mkdirSync(CACHE_DIR, { recursive: true });
+        // Check for existing lock
+        if (node_fs_1.default.existsSync(UPDATE_LOCK_FILE)) {
+            try {
+                const raw = node_fs_1.default.readFileSync(UPDATE_LOCK_FILE, "utf-8");
+                const data = JSON.parse(raw);
+                const age = Date.now() - (data.ts ?? 0);
+                // Stale lock — reclaim it
+                if (age > UPDATE_LOCK_STALE_MS) {
+                    console.warn("[podwatch/updater] Reclaiming stale update lock.");
+                }
+                else {
+                    return false; // Lock is held by another process
                 }
-                catch { /* best-effort */ }
-            }
-            return;
-        }
-        try {
-            const integrity = verifyTarballIntegrity(download.tarballPath, result.integrityHash);
-            if (!integrity.valid) {
-                logger.error(`[podwatch/updater] Urgent update integrity check failed! ` +
-                    `Expected: ${result.integrityHash}, Got: ${integrity.actualHash ?? integrity.error}.`);
-                return;
             }
-            const installResult = installFromTarball(download.tarballPath);
-            if (!installResult.success) {
-                logger.error(`[podwatch/updater] Urgent update install failed: ${installResult.error}`);
-                return;
+            catch {
+                // Corrupted lock file — reclaim
             }
-            logger.info(`[podwatch/updater] Urgent update installed (v${currentVersion} → v${result.remoteVersion}). Waiting for idle window before restart...`);
-            await waitForIdleWindow(logger);
-            writeRestartSentinel(result.remoteVersion);
-            triggerGatewayRestart(logger);
         }
-        finally {
-            if (download.tmpDir) {
-                try {
-                    node_fs_1.default.rmSync(download.tmpDir, { recursive: true, force: true });
-                }
-                catch { /* best-effort */ }
-            }
+        node_fs_1.default.writeFileSync(UPDATE_LOCK_FILE, JSON.stringify({ pid: process.pid, ts: Date.now() }));
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Release the update lock.
+ */
+function releaseUpdateLock() {
+    try {
+        if (node_fs_1.default.existsSync(UPDATE_LOCK_FILE)) {
+            node_fs_1.default.rmSync(UPDATE_LOCK_FILE, { force: true });
         }
     }
-    catch (err) {
-        logger.error(`[podwatch/updater] Urgent update error: ${err}`);
+    catch {
+        // Best-effort
     }
 }
 // ---------------------------------------------------------------------------
@@ -606,7 +676,7 @@ async function handleUrgentUpdate(signalVersion, logger) {
  * Schedule a non-blocking update check 30s after startup.
  * Safe to call synchronously — it sets a timer and returns immediately.
  *
- * Auto-update is on by default. Set autoUpdate: false in plugin config to disable.
+ * Auto-update is ON by default. Set autoUpdate: false in plugin config to disable.
  *
  * @param currentVersion The plugin's current version from package.json
  * @param endpoint The Podwatch API endpoint (for dashboard fallback)
@@ -614,8 +684,6 @@ async function handleUrgentUpdate(signalVersion, logger) {
  * @param options Update options (autoUpdate, etc.)
  */
 function scheduleUpdateCheck(currentVersion, endpoint, logger, options = {}) {
-    // Store state for urgent update triggers from the transmitter
-    urgentUpdateState = { currentVersion, endpoint, logger, options };
     const timer = setTimeout(() => {
         void runUpdateCheck(currentVersion, endpoint, logger, options);
     }, STARTUP_DELAY_MS);
@@ -625,21 +693,25 @@ function scheduleUpdateCheck(currentVersion, endpoint, logger, options = {}) {
     }
 }
 /**
- * Internal: perform the actual update check + install + restart.
+ * Internal: perform the actual update check + install.
  *
  * Flow:
- * 1. Check autoUpdate opt-in (default false)
+ * 1. Check autoUpdate opt-out (default on; set autoUpdate: false to disable)
  * 2. Respect 24h cooldown
- * 3. Check for newer version (npm → dashboard fallback)
- * 4. Require integrity hash from server (skip if missing)
- * 5. Download tarball via npm pack
- * 6. Verify tarball SHA-256 against server hash
- * 7. Extract and install
- * 8. Write restart sentinel + trigger gateway restart
+ * 3. Acquire update lock (prevents concurrent updates)
+ * 4. Check for newer version (npm → dashboard fallback)
+ * 5. Require integrity hash from server (skip if missing)
+ * 6. Download tarball via fetch
+ * 7. Verify tarball integrity against server hash
+ * 8. Extract and install (with rollback on failure)
+ * 9. Verify new dist loads; rollback if broken
+ * 10. Write restart sentinel (gateway picks it up on next restart)
+ * 11. Wait for idle window, then restart gateway
  */
 async function runUpdateCheck(currentVersion, endpoint, logger, options = {}) {
+    let lockAcquired = false;
     try {
-        // 1. Check opt-in — auto-update must be explicitly enabled
+        // 1. Check opt-in — auto-update must be explicitly disabled
         if (options.autoUpdate === false) {
             logger.info("[podwatch/updater] Auto-update is disabled. Remove autoUpdate: false from plugin config to re-enable.");
             return;
@@ -649,6 +721,12 @@ async function runUpdateCheck(currentVersion, endpoint, logger, options = {}) {
             console.log("[podwatch/updater] Skipping check — within 24h cooldown.");
             return;
         }
+        // 3. Acquire update lock (prevents concurrent updates)
+        if (!acquireUpdateLock()) {
+            logger.info("[podwatch/updater] Another update is in progress — skipping.");
+            return;
+        }
+        lockAcquired = true;
         logger.info("[podwatch/updater] Checking for updates...");
         const result = await checkForUpdate(currentVersion, endpoint);
         // Always write cache timestamp after a check attempt (even if no update)
@@ -669,13 +747,10 @@ async function runUpdateCheck(currentVersion, endpoint, logger, options = {}) {
         }
         // New version available with integrity hash!
         logger.info(`[podwatch/updater] Update available: v${currentVersion} → v${result.remoteVersion} (via ${result.source}). Downloading...`);
-        // 4. Download tarball
-        const download = downloadTarball();
+        // 4. Download tarball via fetch
+        const download = await downloadTarball(result.remoteVersion, result.tarballUrl);
         if (!download.success || !download.tarballPath) {
             logger.error(`[podwatch/updater] Update failed: ${download.error}. Continuing with current version.`);
-            if (download.stderr) {
-                console.error("[podwatch/updater] stderr:", download.stderr);
-            }
             // Cleanup temp dir
             if (download.tmpDir) {
                 try {
@@ -696,7 +771,7 @@ async function runUpdateCheck(currentVersion, endpoint, logger, options = {}) {
                 return;
             }
             logger.info(`[podwatch/updater] Integrity verified (${integrity.actualHash}). Installing v${result.remoteVersion}...`);
-            // 6. Extract and install
+            // 6. Extract and install (with rollback on failure)
             const installResult = installFromTarball(download.tarballPath);
             if (!installResult.success) {
                 logger.error(`[podwatch/updater] Update failed: ${installResult.error}. Continuing with current version.`);
@@ -705,13 +780,54 @@ async function runUpdateCheck(currentVersion, endpoint, logger, options = {}) {
                 }
                 return;
             }
-            logger.info(`[podwatch/updater] Update installed successfully (v${currentVersion} → v${result.remoteVersion}). Waiting for idle window before restart...`);
-            // 7. Wait for idle window (defer if agent is active)
-            await waitForIdleWindow(logger);
-            // 8. Write restart sentinel so the gateway knows why it restarted
+            // 7. Verify the new dist loads before doing anything dangerous
+            const extensionsDir = node_path_1.default.join(process.env.HOME ?? process.env.USERPROFILE ?? "/tmp", ".openclaw", "extensions", "podwatch");
+            const distResult = verifyNewDist(extensionsDir);
+            const backupDir = node_path_1.default.join(extensionsDir, "dist.backup");
+            if (!distResult.ok) {
+                const reason = distResult.signal
+                    ? `crashed with signal ${distResult.signal}`
+                    : distResult.timedOut
+                        ? "timed out during load"
+                        : distResult.error || "unknown error";
+                logger.error(`[podwatch/updater] New dist/index.js failed to load (${reason})! Rolling back to previous version.`);
+                if (node_fs_1.default.existsSync(backupDir)) {
+                    restoreFromBackup(extensionsDir, backupDir);
+                    logger.info("[podwatch/updater] Rolled back to previous version.");
+                }
+                else {
+                    logger.error("[podwatch/updater] No backup available for rollback — previous dist lost.");
+                }
+                transmitter_js_1.transmitter.enqueue({
+                    type: "alert",
+                    ts: Date.now(),
+                    message: `Podwatch update to v${result.remoteVersion} failed verification (${reason}) — rolled back. Please report this.`,
+                    severity: "error",
+                });
+                return;
+            }
+            // 7b. Verification passed — clean up backup now
+            cleanupBackup(backupDir);
+            // 8. Write restart sentinel
             writeRestartSentinel(result.remoteVersion);
-            // 9. Trigger restart via OS service manager
-            triggerGatewayRestart(logger);
+            // 9. Notify dashboard
+            transmitter_js_1.transmitter.enqueue({
+                type: "alert",
+                ts: Date.now(),
+                message: `Podwatch updated: v${currentVersion} → v${result.remoteVersion}. Restarting gateway...`,
+                severity: "info",
+            });
+            // 10. Flush transmitter so the notification gets out before restart
+            await transmitter_js_1.transmitter.flush();
+            logger.info(`[podwatch/updater] Update verified and installed (v${currentVersion} → v${result.remoteVersion}). ` +
+                "Waiting for idle window before restart...");
+            // 11. Wait for idle window, then restart
+            await waitForIdleWindow(logger);
+            const restartResult = triggerGatewayRestart(logger);
+            if (!restartResult.ok) {
+                logger.info(`[podwatch/updater] Automatic restart not available. Update is installed — ` +
+                    "restart the gateway manually to activate.");
+            }
         }
         finally {
             // Cleanup temp dir
@@ -727,5 +843,9 @@ async function runUpdateCheck(currentVersion, endpoint, logger, options = {}) {
         // Catch-all: never let the updater crash the plugin
         console.error("[podwatch/updater] Unexpected error:", err);
     }
+    finally {
+        if (lockAcquired)
+            releaseUpdateLock();
+    }
 }
 //# sourceMappingURL=updater.js.map