polygram 0.9.0 → 0.10.0-rc.2

package/lib/tmux/tmux-runner.js

@@ -0,0 +1,303 @@
+/**
+ * Low-level tmux wrapper used by TmuxProcess (`lib/process/tmux-process.js`).
+ *
+ * Pure mechanics — spawn / send / capture / kill / list. No semantics
+ * about claude or polygram. TmuxProcess composes these into the
+ * higher-level send-prompt / observe-turn / interrupt flow.
+ *
+ * Conventions:
+ *   - Session names are bot-prefixed to avoid cross-bot collision
+ *     on the same host: `polygram-<bot>-<chat>-<thread>`.
+ *   - Prompt bodies go through pasteText() (sanitize + multiline
+ *     separator + set-buffer/paste-buffer).
+ *   - Control keys (Enter, Escape, C-c) go through sendControl()
+ *     using `tmux send-keys` (no -l flag).
+ *
+ * Phase 0 spike findings encoded here:
+ *   F-spike-1  --permission-mode acceptEdits handled by callers
+ *   F-spike-3  `\n` in paste-buffer SPLITS into separate Enter
+ *              presses → encode as MULTILINE_SEPARATOR before paste
+ *   F-spike-4  bypassPermissions needs --dangerously-skip-permissions
+ *              companion (callers add this flag pair when needed)
+ *   G5b        sanitize() strips C0/DEL control bytes so a Telegram
+ *              user can't inject Ctrl-C / Ctrl-D into the pty
+ *
+ * @see docs/0.10.0-phase0-spike-findings.md F-spike-1..4
+ * @see docs/0.10.0-process-manager-abstraction-plan.md §12.4
+ */
+
+'use strict';
+
+const childProcess = require('child_process');
+const crypto = require('crypto');
+const fs = require('fs');
+const path = require('path');
+
+// ─── Constants ───────────────────────────────────────────────────────
+
+// Phase 0 F-spike-3: `\n` in paste-buffer triggers separate Enter
+// presses in claude TUI; only the LAST line stays. Encode as a visible
+// separator before paste so the full multi-line prompt arrives.
+const MULTILINE_SEPARATOR = ' / ';
+
+// G5b: strip C0/DEL bytes (0x00-0x08, 0x0b-0x1f, 0x7f) from prompt
+// before send. Allows \t (0x09) and \n (0x0a) through; we handle \n
+// via MULTILINE_SEPARATOR.
+const CONTROL_CHAR_RE = /[\x00-\x08\x0b-\x1f\x7f]/g;
+
+// ─── execFile wrapper ────────────────────────────────────────────────
+
+/**
+ * Promise-wrapped childProcess.execFile. Returns { stdout, stderr }.
+ * Rejects on non-zero exit with err.stdout + err.stderr attached.
+ */
+function run(cmd, args, opts = {}) {
+  return new Promise((resolve, reject) => {
+    childProcess.execFile(cmd, args, { ...opts, encoding: 'utf8' }, (err, stdout, stderr) => {
+      if (err) {
+        err.stdout = stdout;
+        err.stderr = stderr;
+        return reject(err);
+      }
+      resolve({ stdout, stderr });
+    });
+  });
+}
+
+// ─── Helpers ─────────────────────────────────────────────────────────
+
+/**
+ * Strip C0/DEL control characters. Allow \t and \n (\n is then
+ * encoded to MULTILINE_SEPARATOR by pasteText below).
+ */
+function sanitize(text) {
+  return String(text).replace(CONTROL_CHAR_RE, '');
+}
+
+/**
+ * Bot-prefixed tmux session name. Replaces unsafe chars with _ so
+ * the name is always a valid tmux session identifier.
+ *
+ * @param {string} botName
+ * @param {string|number} chatId
+ * @param {string|number|null} threadId
+ */
+function sessionName(botName, chatId, threadId) {
+  const tail = threadId ? `${chatId}-${threadId}` : `${chatId}-main`;
+  return `polygram-${botName}-${tail}`.replace(/[^\w-]/g, '_');
+}
+
+/**
+ * Per-session debug-log path. Same sanitization as session name so
+ * an admin typo in a topic key can't path-traverse.
+ *
+ * Per R2-F5 the path lives under polygram's own data dir, not /tmp.
+ *
+ * @param {string} botName
+ * @param {string|number} chatId
+ * @param {string|number|null} threadId
+ * @param {string} [logsDir]  base dir; default ~/.polygram/<bot>/logs
+ */
+function debugLogPath(botName, chatId, threadId, logsDir) {
+  const safeBot = String(botName).replace(/[^\w-]/g, '_');
+  const tail = threadId ? `${chatId}-${threadId}` : `${chatId}-main`;
+  const safeTail = String(tail).replace(/[^\w-]/g, '_');
+  // SECURITY (audit M4): refuse to fall back to /tmp when HOME is
+  // unset. /tmp is world-writable; a co-tenant could pre-create the
+  // path as a symlink pointing at an arbitrary file, and claude's
+  // --debug-file flag would follow it on open-for-append. Operators
+  // running polygram must have HOME set; if not, this is a misconfig
+  // that should fail loud.
+  if (!logsDir && !process.env.HOME) {
+    throw Object.assign(
+      new Error('HOME env var unset; refusing /tmp fallback for debugLogPath'),
+      { code: 'HOME_UNSET' },
+    );
+  }
+  const base = logsDir || path.join(process.env.HOME, '.polygram', safeBot, 'logs');
+  return path.join(base, `tmux-claude-${safeTail}.log`);
+}
+
+/**
+ * Ensure the directory exists for a debug log path. Idempotent.
+ */
+function ensureLogDir(logPath) {
+  fs.mkdirSync(path.dirname(logPath), { recursive: true });
+}
+
+// ─── TmuxRunner ──────────────────────────────────────────────────────
+
+/**
+ * Construct a tmux runner. Returns an object of methods. Stateless —
+ * each call is an independent tmux invocation. The shared `logger` is
+ * the only injected dependency.
+ *
+ * Test seam: tests can stub `runner._run` to mock execFile.
+ *
+ * @param {object} [opts]
+ * @param {object} [opts.logger=console]
+ * @param {Function} [opts.runFn] — override the underlying execFile
+ *   wrapper (for tests). Same signature: (cmd, args, opts?) → Promise.
+ */
+function createTmuxRunner({ logger = console, runFn = run } = {}) {
+
+  async function spawn({
+    name,
+    cwd,
+    command,
+    args = [],
+    envExtras = {},
+    paneWidth = 200,
+  }) {
+    // SECURITY (audit M5): paneWidth ends up as a CLI arg to `tmux
+    // set-option`. We use execFile (no shell), so this is not a
+    // shell-injection vector — but a hostile value like '-Force' or
+    // a number-string with embedded options could be mis-parsed by
+    // tmux. Validate it's a small positive integer.
+    if (!Number.isInteger(paneWidth) || paneWidth < 20 || paneWidth > 10_000) {
+      throw new TypeError(`paneWidth must be an integer in [20, 10000], got ${paneWidth}`);
+    }
+    const sessArgs = ['new-session', '-d', '-s', name];
+    if (cwd) sessArgs.push('-c', cwd);
+    for (const [k, v] of Object.entries(envExtras)) {
+      sessArgs.push('-e', `${k}=${v}`);
+    }
+    sessArgs.push(command, ...args);
+    try {
+      await runFn('tmux', sessArgs);
+    } catch (err) {
+      throw Object.assign(new Error(`tmux spawn failed: ${err.message}`), {
+        code: 'TMUX_SPAWN_FAILED',
+        name,
+        cause: err,
+        stderr: err.stderr,
+      });
+    }
+    // Set a wide pane to reduce capture-pane wrap artifacts.
+    // Best-effort — if the set-option fails, capture-pane -J fallback
+    // in captureWide() handles the wrap case.
+    try {
+      await runFn('tmux', ['set-option', '-t', name, '-w', 'pane-width', String(paneWidth)]);
+    } catch (err) {
+      logger.warn?.(`[tmux-runner] set-option pane-width failed for ${name}: ${err.message}`);
+    }
+    return name;
+  }
+
+  /**
+   * Send raw key sequence (Enter, Escape, C-c, etc.). NOT for prompt
+   * body — use pasteText for that. send-keys without -l interprets
+   * key names like "Enter" and "C-c".
+   */
+  async function sendControl(name, key) {
+    await runFn('tmux', ['send-keys', '-t', name, key]);
+  }
+
+  /**
+   * Push a multi-line text prompt into the pane.
+   *
+   *   1. sanitize()  strips C0/DEL bytes (G5b)
+   *   2. \n → MULTILINE_SEPARATOR  (F-spike-3)
+   *   3. set-buffer + paste-buffer  (atomic; bracketed-paste-aware
+   *      in modern claude TUI versions)
+   *
+   * NO Enter is sent. Caller follows up with `sendControl(name, 'Enter')`
+   * when they want to submit. (Splitting paste + Enter lets callers
+   * verify the text landed via capture-pane before submitting.)
+   */
+  async function pasteText(name, text) {
+    const sanitized = sanitize(text);
+    const oneLine = sanitized.replace(/\r?\n/g, MULTILINE_SEPARATOR);
+    const bufName = `polygram-buf-${crypto.randomBytes(3).toString('hex')}`;
+    await runFn('tmux', ['set-buffer', '-b', bufName, oneLine]);
+    try {
+      // -d (delete after) so the buffer doesn't accumulate.
+      await runFn('tmux', ['paste-buffer', '-t', name, '-b', bufName, '-d']);
+    } catch (err) {
+      // Best-effort buffer cleanup if paste fails.
+      await runFn('tmux', ['delete-buffer', '-b', bufName]).catch(() => {});
+      throw err;
+    }
+    return { sanitized, oneLine, stripped: text.length - sanitized.length };
+  }
+
+  /**
+   * Capture pane content. By default returns the last 1000 lines with
+   * line-wrapped lines joined (`-J`) — handles wrapping artifacts
+   * regardless of pane-width setting.
+   *
+   * For frequent polling (ready/streaming/approval-prompt detection),
+   * pass a smaller `lines` value — the indicators all live in the
+   * bottom ~50 lines of the pane. Polling 1000 lines each poll spawns
+   * a heavier tmux capture subprocess unnecessarily.
+   */
+  async function capturePane(name, { lines = 1000, joinWrapped = true } = {}) {
+    const args = ['capture-pane', '-t', name, '-p'];
+    if (joinWrapped) args.push('-J');
+    args.push('-S', `-${lines}`);
+    const { stdout } = await runFn('tmux', args);
+    return stdout;
+  }
+
+  /**
+   * Wide capture — alias for capturePane with -J always on. Use when
+   * regex parsing is sensitive to line wrapping.
+   */
+  async function captureWide(name, opts = {}) {
+    return capturePane(name, { ...opts, joinWrapped: true });
+  }
+
+  async function sessionExists(name) {
+    try {
+      await runFn('tmux', ['has-session', '-t', name]);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
+  async function killSession(name) {
+    await runFn('tmux', ['kill-session', '-t', name]).catch(() => {});
+  }
+
+  /**
+   * List polygram-managed tmux sessions on the host. Optional `botName`
+   * narrows the prefix; without it returns all `polygram-*` sessions.
+   */
+  async function listPolygramSessions(botName = null) {
+    try {
+      const { stdout } = await runFn('tmux', ['list-sessions', '-F', '#{session_name}']);
+      const all = stdout.trim().split('\n').filter(Boolean);
+      const prefix = botName ? `polygram-${String(botName).replace(/[^\w-]/g, '_')}-` : 'polygram-';
+      return all.filter((n) => n.startsWith(prefix));
+    } catch {
+      return [];
+    }
+  }
+
+  return {
+    spawn,
+    sendControl,
+    pasteText,
+    capturePane,
+    captureWide,
+    sessionExists,
+    killSession,
+    listPolygramSessions,
+    sessionName,
+    debugLogPath,
+    ensureLogDir,
+    sanitize,
+    // Test hook
+    _run: runFn,
+  };
+}
+
+module.exports = {
+  createTmuxRunner,
+  sessionName,
+  debugLogPath,
+  sanitize,
+  MULTILINE_SEPARATOR,
+  CONTROL_CHAR_RE,
+};

package/lib/tmux/tui-tool-input.js

@@ -0,0 +1,62 @@
+/**
+ * Normalize the tool-input string parsed from a claude TUI approval
+ * prompt into a canUseTool-shaped object — so the rest of polygram's
+ * approval plumbing (chat_tool_decisions persistence, approvalCardText
+ * rendering, matchesApprovalPattern gating) works uniformly across
+ * SDK and tmux backends.
+ *
+ * The TUI's invocation line looks like:
+ *
+ *   ⏺ Bash(rm /tmp/foo.txt)
+ *   ⏺ Read(/Users/x/y.txt)
+ *   ⏺ Write(/path/file, "contents")
+ *
+ * What lands in `rawArg` is everything between the parens. Mapping is
+ * heuristic — the TUI doesn't tag args by name, so we map common tools
+ * to their known field shapes; anything else becomes `{ _raw: <str> }`
+ * so the approval card still renders something readable.
+ *
+ * The shape doesn't need to be byte-identical to what SDK's canUseTool
+ * receives — it only needs to be:
+ *   - consistent enough that chat_tool_decisions can hash + match it
+ *   - readable enough that the approval card body shows useful info
+ *   - serializable to JSON
+ */
+
+'use strict';
+
+/**
+ * @param {string} toolName  — e.g. 'Bash', 'Read', 'Write'
+ * @param {string} rawArg    — the parenthesised content
+ * @returns {object}
+ */
+function normalizeTuiToolInput(toolName, rawArg) {
+  const arg = typeof rawArg === 'string' ? rawArg : '';
+  switch (toolName) {
+    case 'Bash':
+      return { command: arg };
+    case 'Read':
+    case 'Glob':
+      return { file_path: arg };
+    case 'Write':
+    case 'Edit': {
+      // Best-effort split on first comma; the TUI doesn't escape so
+      // commands with commas inside arg #1 will misparse. The
+      // approval card still shows the raw shape, so the operator
+      // can read the actual command before approving.
+      const commaIdx = arg.indexOf(',');
+      if (commaIdx === -1) return { file_path: arg };
+      return {
+        file_path: arg.slice(0, commaIdx).trim(),
+        _raw_tail: arg.slice(commaIdx + 1).trim(),
+      };
+    }
+    case 'WebFetch':
+    case 'WebSearch':
+      return { url: arg };
+    default:
+      return { _raw: arg };
+  }
+}
+
+module.exports = { normalizeTuiToolInput };

package/migrations/011-pm-backend.sql

@@ -0,0 +1,17 @@
+-- 011-pm-backend.sql
+--
+-- 0.10.0: add pm_backend column to sessions table.
+--
+-- Lets boot-replay know which backend a session was last running under
+-- (sdk | tmux). Phase 1 ships only the SDK backend, so existing rows
+-- and new rows all get 'sdk'. Phase 2 starts populating 'tmux' for
+-- chats with config.chats[X].pm = 'tmux'.
+--
+-- Invariant: the running session's backend MUST match what the DB
+-- says. If config changes pm: sdk → pm: tmux mid-session, polygram
+-- keeps the running session on SDK; only on /new or daemon restart
+-- does the new choice take effect.
+--
+-- See docs/0.10.0-process-manager-abstraction-plan.md §6.5.
+
+ALTER TABLE sessions ADD COLUMN pm_backend TEXT NOT NULL DEFAULT 'sdk';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "polygram",
-  "version": "0.9.0",
+  "version": "0.10.0-rc.2",
   "description": "Telegram daemon for Claude Code that preserves the OpenClaw per-chat session model. Migration path for OpenClaw users moving to Claude Code.",
   "main": "lib/ipc/client.js",
   "bin": {

package/polygram.js

@@ -33,7 +33,17 @@ const { filterAttachments } = require('./lib/attachments');
 // callbacks), so the rest of polygram.js doesn't branch beyond the
 // pick-at-startup. Phase 4 deletes the CLI version after Phase 5
 // soak proves SDK stable. See docs/0.8.0-architecture-decisions.md.
-const { ProcessManagerSdk, extractAssistantText } = require('./lib/sdk/process-manager');
+// 0.10.0: ProcessManager is generic (collection + LRU + dispatch).
+// Process subclasses (SdkProcess now, TmuxProcess in Phase 2) provide
+// per-session mechanics. The pre-0.10.0 monolithic ProcessManagerSdk
+// is deleted; SdkProcess inherits its per-entry guts.
+const { ProcessManager } = require('./lib/process-manager');
+const { createProcessFactory } = require('./lib/process/factory');
+const { extractAssistantText } = require('./lib/process/sdk-process');
+const { createTmuxRunner } = require('./lib/tmux/tmux-runner');
+const { sweepTmuxOrphans } = require('./lib/tmux/orphan-sweep');
+const { normalizeTuiToolInput } = require('./lib/tmux/tui-tool-input');
+const { PollScheduler } = require('./lib/tmux/poll-scheduler');
 // rc.42: autosteer-buffer module deleted. Native SDK priority push
 // (pm.injectUserMessage) replaces the buffer + PostToolBatch detour.
 const { createAutosteeredRefs } = require('./lib/autosteered-refs');
@@ -1113,29 +1123,34 @@ async function handleMessage(sessionKey, chatId, msg, bot) {
       // subsequent fires. Cleared on compact-boundary so the next
       // cycle (if it crosses again) will fire fresh.
       if (chatCtxHint === true && !contextHintShown.has(sessionKey)) {
-        const entry = pm.get(sessionKey);
-        const q = entry?.query;
-        if (q && typeof q.getContextUsage === 'function') {
-          const threshold = chatConfig.contextHintThreshold != null
-            ? chatConfig.contextHintThreshold
-            : (config.bot?.contextHintThreshold != null
-              ? config.bot.contextHintThreshold
-              : undefined);
-          q.getContextUsage().then((usage) => {
-            const text = maybeContextFullHint(usage, threshold != null ? { threshold } : undefined);
-            if (!text) return;
-            // Mark BEFORE the send so concurrent turns don't all
-            // fire the hint while the first one's still in flight.
-            contextHintShown.add(sessionKey);
-            return tg(bot, 'sendMessage', {
-              chat_id: chatId,
-              text,
-              ...(threadId ? { message_thread_id: threadId } : {}),
-            }, { source: 'context-full-hint', botName: BOT_NAME });
-          }).catch((err) => {
-            console.error(`[${label}] context-hint failed: ${err.message}`);
-          });
-        }
+        // 0.10.0: route through pm.getContextUsage(sessionKey) instead
+        // of poking entry.query directly. The pm-level call delegates
+        // to Process.getContextUsage(), which is implemented by BOTH
+        // SdkProcess (via Query.getContextUsage) and TmuxProcess (via
+        // JSONL message.usage snapshots). Either backend returns the
+        // same shape; either throws Unsupported when no data yet.
+        const threshold = chatConfig.contextHintThreshold != null
+          ? chatConfig.contextHintThreshold
+          : (config.bot?.contextHintThreshold != null
+            ? config.bot.contextHintThreshold
+            : undefined);
+        pm.getContextUsage(sessionKey).then((usage) => {
+          const text = maybeContextFullHint(usage, threshold != null ? { threshold } : undefined);
+          if (!text) return;
+          // Mark BEFORE the send so concurrent turns don't all fire
+          // the hint while the first one's still in flight.
+          contextHintShown.add(sessionKey);
+          return tg(bot, 'sendMessage', {
+            chat_id: chatId,
+            text,
+            ...(threadId ? { message_thread_id: threadId } : {}),
+          }, { source: 'context-full-hint', botName: BOT_NAME });
+        }).catch((err) => {
+          // UnsupportedOperation = backend doesn't have usage data
+          // (yet) — silent no-op, not an error. Other errors surface.
+          if (err?.code === 'UNSUPPORTED_OPERATION') return;
+          console.error(`[${label}] context-hint failed: ${err.message}`);
+        });
       }
     }
 
@@ -1860,6 +1875,20 @@ async function main() {
     console.log(`[orphan-guard] prior=${pidClaim.priorPid ?? '?'} action=${pidClaim.priorAction}`);
   }
 
+  // 0.10.0: after claimPidFile kills the orphan daemon, sweep any
+  // `polygram-<bot>-*` tmux sessions it left behind. Tmux sessions
+  // outlive their parent process — without this, the new daemon's
+  // TmuxProcess.start() hits EEXIST on session spawn for any chat
+  // routed to pm:'tmux'. See lib/tmux/orphan-sweep.js for rationale.
+  try {
+    const sweep = await sweepTmuxOrphans({ botName: BOT_NAME, logger: console });
+    if (sweep.swept.length > 0) {
+      console.log(`[orphan-sweep] killed ${sweep.swept.length} stale tmux session(s)`);
+    }
+  } catch (err) {
+    console.warn?.(`[orphan-sweep] failed (non-fatal): ${err.message}`);
+  }
+
   try {
     db = dbClient.open(DB_PATH);
     console.log(`[db] opened ${DB_PATH}`);
@@ -1956,7 +1985,12 @@ async function main() {
     extractAssistantText, getChatIdFromKey, getThreadIdFromKey,
     logger: console,
   });
-  Object.assign(pmOpts, sdkCallbacks);
+  // 0.10.0: sdkCallbacks (the polygram-side lifecycle handlers — status
+  // reactor, stream chunk → bubble edit, etc.) move from the underlying
+  // SDK pm to the generic ProcessManager. The SDK pm gets legacyCallbacks
+  // (a bridge that re-emits events on per-Process EventEmitters); the
+  // generic pm subscribes to those EventEmitters and forwards to
+  // sdkCallbacks. Same code path; one extra hop for the abstraction.
 
   ({
     makeCanUseTool,
@@ -1984,7 +2018,60 @@ async function main() {
   downloadAttachments = createDownloadAttachments({
     config, db, dbWrite, inboxDir: INBOX_DIR, logger: console,
   });
-  pm = new ProcessManagerSdk({ ...pmOpts, spawnFn: buildSdkOptions });
+  // 0.10.0: one ProcessManager, holds Process instances (SdkProcess
+  // today; TmuxProcess too in Phase 2). Factory mints the right
+  // subclass per-chat based on config.chats[X].pm. Lifecycle events
+  // (init / close / stream-chunk / result / tool-use / etc.) emit
+  // from each Process; the pm forwards to sdkCallbacks.
+  // tmux backend runner — one per daemon, shared across all TmuxProcess
+  // instances. Construction is cheap (no system call until first
+  // spawn/send). Only used if any chat in config has pm:'tmux'.
+  const tmuxRunner = createTmuxRunner({ logger: console });
+  // O1 optimization: shared poll-tick scheduler. N TmuxProcess
+  // instances share ONE setInterval instead of spawning N independent
+  // setTimeout chains. Idle when no chats are in flight (zero timers
+  // running). Configurable via config.bot.tmuxPollIntervalMs.
+  const tmuxPollIntervalMs = config.bot?.tmuxPollIntervalMs || 250;
+  const pollScheduler = new PollScheduler({ intervalMs: tmuxPollIntervalMs });
+  const processFactory = createProcessFactory({
+    config,
+    spawnFn: buildSdkOptions,
+    db,
+    logger: console,
+    tmuxRunner,
+    botName: BOT_NAME,
+    pollScheduler,
+  });
+  // 0.10.0: route tmux backend's in-pane approval prompts through the
+  // SAME canUseTool plumbing that SDK chats use. TmuxProcess emits
+  // 'approval-required' with a respond() closure when it detects the
+  // TUI's "Do you want to do this?" prompt; we call makeCanUseTool
+  // (admin-chat card, chat_tool_decisions persistence, timeout race —
+  // all reused from SDK) and feed its decision back to the TUI.
+  sdkCallbacks.onApprovalRequired = async (sessionKey, payload) => {
+    const { toolName, toolInput, id, respond } = payload || {};
+    if (typeof respond !== 'function') return;
+    try {
+      const canUseTool = makeCanUseTool(sessionKey);
+      const input = normalizeTuiToolInput(toolName, toolInput);
+      const decision = await canUseTool(toolName, input, { toolUseID: id });
+      const verdict = decision?.behavior === 'allow' ? 'allow' : 'deny';
+      await respond(verdict, decision?.message);
+    } catch (err) {
+      console.error(`[approval-required] ${sessionKey} ${toolName} → ${err.message}`);
+      // Fail-closed: deny with the error as feedback.
+      try { await respond('deny', `approval-flow error: ${err.message}`); }
+      catch { /* swallow */ }
+    }
+  };
+
+  pm = new ProcessManager({
+    processFactory,
+    db,
+    logger: console,
+    callbacks: sdkCallbacks,
+    budget: cap,
+  });
   // formatConfigInfoText MUST be wired BEFORE createHandleConfigCallback
   // — the latter destructures formatConfigInfoText from its deps at
   // call time and captures the value (closure-by-value). v4 reviewer
@@ -2315,14 +2402,16 @@ async function main() {
       if (o.text && savedSessionId) {
         try {
           const entry = await pm.getOrSpawn(o.session_key, buildSpawnContext(o.session_key));
-          if (!entry?.inputController?.push) {
-            throw new Error('input controller not ready post-spawn');
+          // 0.10.0 P0.4: route through Process.fireUserMessage so both
+          // SDK and tmux backends work. Pre-0.10.0-P0.4 reached into
+          // entry.inputController.push directly — broken on tmux.
+          if (!entry || typeof entry.fireUserMessage !== 'function') {
+            throw new Error('Process.fireUserMessage not available');
+          }
+          const ok = entry.fireUserMessage(o.text);
+          if (!ok) {
+            throw new Error('fireUserMessage refused (closed or empty content)');
           }
-          entry.inputController.push({
-            type: 'user',
-            message: { role: 'user', content: o.text },
-            parent_tool_use_id: null,
-          });
           logEvent('compact-replay', {
             chat_id: o.chat_id,
             thread_id: o.thread_id,