sensorium-mcp 2.17.27 → 3.0.0

package/supervisor/main.go

@@ -2,14 +2,21 @@ package main
 
 import (
 	"context"
+	"flag"
 	"fmt"
 	"os"
 	"os/signal"
+	"strings"
 	"sync"
 	"syscall"
 	"time"
 )
 
+var (
+	globalCancelMu sync.Mutex
+	globalCancel   context.CancelFunc
+)
+
 // KeeperEntry tracks a running keeper and its settings.
 type KeeperEntry struct {
 	keeper   *Keeper
@@ -17,17 +24,130 @@ type KeeperEntry struct {
 }
 
 func main() {
-	cfg := LoadConfig()
+	isService, err := isWindowsService()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Failed to detect service mode: %v\n", err)
+		os.Exit(1)
+	}
+	if isService {
+		if err := runAsService(); err != nil {
+			fmt.Fprintf(os.Stderr, "Service run failed: %v\n", err)
+			os.Exit(1)
+		}
+		return
+	}
 
-	if err := os.MkdirAll(cfg.DataDir, 0755); err != nil {
-		fmt.Fprintf(os.Stderr, "Cannot create data dir %s: %v\n", cfg.DataDir, err)
+	if handled, err := handleServiceCommand(os.Args[1:]); err != nil {
+		fmt.Fprintf(os.Stderr, "%v\n", err)
 		os.Exit(1)
+	} else if handled {
+		return
+	}
+
+	runningAsService := resolveRunSupervisorMode(isService, os.Getenv("HOST_MODE"))
+	if err := runSupervisor(runningAsService); err != nil {
+		fmt.Fprintf(os.Stderr, "Supervisor failed: %v\n", err)
+		os.Exit(1)
+	}
+}
+
+func resolveRunSupervisorMode(processIsService bool, hostModeValue string) bool {
+	if processIsService {
+		return true
+	}
+
+	return parseHostMode(hostModeValue, false) == "service"
+}
+
+func handleServiceCommand(args []string) (bool, error) {
+	if len(args) == 0 {
+		return false, nil
+	}
+
+	switch args[0] {
+	case "install":
+		fs := flag.NewFlagSet("install", flag.ContinueOnError)
+		serviceUser := fs.String("service-user", "", "Windows account to run service as (e.g. .\\YourUser). Defaults to LocalSystem if empty.")
+		servicePassword := fs.String("service-password", "", "Password for the service account (required for regular user accounts; not needed for LocalSystem/LocalService/NetworkService, NT SERVICE\\*, or gMSA names ending with '$').")
+		if err := fs.Parse(args[1:]); err != nil {
+			return true, err
+		}
+		if *serviceUser != "" && *servicePassword == "" && !isPasswordlessServiceIdentity(*serviceUser) {
+			return true, fmt.Errorf("install failed: -service-password is required for regular -service-user accounts\nAllowed passwordless identities: LocalSystem/LocalService/NetworkService, NT SERVICE\\*, and gMSA names ending with '$'\nNote: prefer using Install-Sensorium.ps1, which prompts securely for passwords")
+		}
+		exePath, err := os.Executable()
+		if err != nil {
+			return true, fmt.Errorf("install failed: resolve executable: %w", err)
+		}
+		return true, installService(exePath, *serviceUser, *servicePassword)
+	case "uninstall":
+		return true, uninstallService()
+	case "start":
+		return true, startService()
+	case "stop":
+		return true, stopService()
+	case "status":
+		return true, serviceStatus()
+	default:
+		return false, nil
+	}
+}
+
+func isPasswordlessServiceIdentity(user string) bool {
+	trimmed := strings.TrimSpace(user)
+	if trimmed == "" {
+		return false
+	}
+
+	lower := strings.ToLower(trimmed)
+	switch lower {
+	case "localsystem", "nt authority\\system", "localservice", "nt authority\\localservice", "networkservice", "nt authority\\networkservice":
+		return true
+	}
+
+	if strings.HasPrefix(lower, "nt service\\") {
+		return true
+	}
+
+	return strings.HasSuffix(trimmed, "$")
+}
+
+func stopSupervisor() {
+	globalCancelMu.Lock()
+	fn := globalCancel
+	globalCancelMu.Unlock()
+	if fn != nil {
+		fn()
+	}
+}
+
+func runSupervisor(runningAsService bool) error {
+	cfg := LoadConfig(runningAsService)
+
+	if err := os.MkdirAll(cfg.DataDir, 0755); err != nil {
+		return fmt.Errorf("cannot create data dir %s: %w", cfg.DataDir, err)
 	}
 
 	log := NewLogger(cfg.Paths.WatcherLog)
 	defer log.Close()
 
-	log.Info("sensorium-supervisor starting (mode=%s, port=%d, dataDir=%s)", cfg.Mode, cfg.MCPHttpPort, cfg.DataDir)
+	// Acquire lock — prevent multiple instances
+	if !AcquireLock(cfg.Paths.WatcherLock, log) {
+		return fmt.Errorf("another supervisor instance is already running")
+	}
+	defer ReleaseLock(cfg.Paths.WatcherLock)
+
+	shouldRestart, err := applyPendingSupervisorUpdate(cfg, log)
+	if err != nil {
+		log.Warn("Pending supervisor update could not be applied: %v", err)
+	}
+	if shouldRestart {
+		return nil
+	}
+
+	recoverPersistedUpdateStateOnStartup(cfg, log)
+
+	log.Info("sensorium-supervisor starting (mode=%s, hostMode=%s, port=%d, dataDir=%s)", cfg.Mode, cfg.HostMode, cfg.MCPHttpPort, cfg.DataDir)
 	log.Debug("Config: MCPStartCommand=%q, PollInterval=%v, MinUptime=%v, KeeperMaxRetries=%d", cfg.MCPStartCommand, cfg.PollInterval, cfg.MinUptime, cfg.KeeperMaxRetries)
 	log.Debug("Config: TelegramToken=%v, HealthFailThresh=%d, StuckThreshold=%v", cfg.TelegramToken != "", cfg.HealthFailThresh, cfg.StuckThreshold)
 
@@ -38,15 +158,9 @@ func main() {
 		log.Warn("Cannot create heartbeats dir %s: %v", cfg.Paths.HeartbeatsDir, err)
 	}
 
-	// Acquire lock — prevent multiple instances
-	if !AcquireLock(cfg.Paths.WatcherLock, log) {
-		os.Exit(1)
-	}
-	defer ReleaseLock(cfg.Paths.WatcherLock)
-
 	if cfg.MCPHttpPort <= 0 {
 		log.Error("MCP_HTTP_PORT must be set (got %d)", cfg.MCPHttpPort)
-		os.Exit(1)
+		return fmt.Errorf("MCP_HTTP_PORT must be set (got %d)", cfg.MCPHttpPort)
 	}
 
 	mcp := NewMCPClient(cfg.MCPHttpPort, cfg.MCPHttpSecret)
@@ -59,15 +173,23 @@ func main() {
 	KillByPort(cfg.MCPHttpPort, log)
 
 	// Spawn MCP server
-	_, err := SpawnMCPServer(cfg, log)
+	_, err = SpawnMCPServer(cfg, log)
 	if err != nil {
 		log.Error("Failed to start MCP server: %v", err)
-		os.Exit(1)
+		return fmt.Errorf("failed to start MCP server: %w", err)
 	}
 
 	// Wait for server to be ready
 	ctx, rootCancel := context.WithCancel(context.Background())
 	defer rootCancel()
+	globalCancelMu.Lock()
+	globalCancel = rootCancel
+	globalCancelMu.Unlock()
+	defer func() {
+		globalCancelMu.Lock()
+		globalCancel = nil
+		globalCancelMu.Unlock()
+	}()
 
 	if mcp.WaitForReady(ctx, 3*time.Second, cfg.KeeperReadyTimeout) {
 		log.Info("MCP server is ready")
@@ -208,9 +330,13 @@ func main() {
 
 	log.Info("All subsystems started — supervisor is running (PID %d)", os.Getpid())
 
-	sig := <-sigCh
-	log.Info("Received %s — shutting down", sig)
-	rootCancel()
+	select {
+	case sig := <-sigCh:
+		log.Info("Received %s — shutting down", sig)
+		rootCancel()
+	case <-ctx.Done():
+		log.Info("Shutdown requested")
+	}
 
 	// Stop keepers (with 10s timeout)
 	shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 10*time.Second)
@@ -251,12 +377,13 @@ func main() {
 	}
 
 	log.Info("Supervisor stopped cleanly")
+	return nil
 }
 
-// fetchKeeperSettings reads the root threads from the MCP server,
-// filtering for those with keepAlive=true.
+// fetchKeeperSettings reads all keepAlive threads from the MCP server
+// (root, branch, and daily — excludes worker threads).
 func fetchKeeperSettings(ctx context.Context, mcp *MCPClient, log *Logger) ([]KeeperConfig, error) {
-	roots, err := mcp.GetRootThreads(ctx)
+	roots, err := mcp.GetKeepAliveThreads(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -268,6 +395,10 @@ func fetchKeeperSettings(ctx context.Context, mcp *MCPClient, log *Logger) ([]Ke
 			continue
 		}
 
+		if typ, _ := r["type"].(string); typ == "worker" {
+			continue
+		}
+
 		// Skip non-active roots (archived, expired, exited)
 		if status, _ := r["status"].(string); status != "" && status != "active" {
 			continue

package/supervisor/main_test.go

@@ -0,0 +1,130 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+func TestResolveRunSupervisorMode(t *testing.T) {
+	tests := []struct {
+		name             string
+		processIsService bool
+		hostMode         string
+		want             bool
+	}{
+		{
+			name:             "service process always forces service mode",
+			processIsService: true,
+			hostMode:         "task",
+			want:             true,
+		},
+		{
+			name:             "non-service defaults to task mode",
+			processIsService: false,
+			hostMode:         "",
+			want:             false,
+		},
+		{
+			name:             "non-service task remains task mode",
+			processIsService: false,
+			hostMode:         "task",
+			want:             false,
+		},
+		{
+			name:             "non-service service mode is honored",
+			processIsService: false,
+			hostMode:         "service",
+			want:             true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := resolveRunSupervisorMode(tc.processIsService, tc.hostMode)
+			if got != tc.want {
+				t.Fatalf("resolveRunSupervisorMode(processIsService=%v, hostMode=%q) = %v, want %v", tc.processIsService, tc.hostMode, got, tc.want)
+			}
+		})
+	}
+}
+
+func TestRunSupervisor_DoesNotRecoverPersistedStateWhenWatcherLockNotAcquired(t *testing.T) {
+	tempHome := t.TempDir()
+	t.Setenv("USERPROFILE", tempHome)
+	t.Setenv("HOME", tempHome)
+	t.Setenv("MCP_HTTP_PORT", "7777")
+	t.Setenv("MCP_HTTP_SECRET", "test-secret")
+	t.Setenv("TELEGRAM_TOKEN", "test-token")
+	t.Setenv("TELEGRAM_CHAT_ID", "test-chat")
+
+	dataDir := filepath.Join(tempHome, ".remote-copilot-mcp")
+	log := NewLogger(filepath.Join(dataDir, "test.log"))
+	defer log.Close()
+
+	store := NewUpdateStateStore(filepath.Join(dataDir, "update-state.json"), log)
+	store.Transition(updateScopeMCP, updatePhaseApplying, "2.0.0", "1.0.0", "")
+
+	watcherLock := filepath.Join(dataDir, "watcher.lock")
+	if !AcquireLock(watcherLock, log) {
+		t.Fatal("failed to pre-acquire watcher lock")
+	}
+	defer ReleaseLock(watcherLock)
+
+	err := runSupervisor(false)
+	if err == nil {
+		t.Fatal("expected runSupervisor to fail when watcher lock is already held")
+	}
+	if !strings.Contains(err.Error(), "another supervisor instance") {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	state, loadErr := store.Load()
+	if loadErr != nil {
+		t.Fatalf("failed to load update state: %v", loadErr)
+	}
+	if state.Phase != updatePhaseApplying {
+		t.Fatalf("phase = %q, want %q", state.Phase, updatePhaseApplying)
+	}
+}
+
+func TestRunSupervisor_DoesNotApplyPendingSupervisorUpdateWhenWatcherLockNotAcquired(t *testing.T) {
+	tempHome := t.TempDir()
+	t.Setenv("USERPROFILE", tempHome)
+	t.Setenv("HOME", tempHome)
+	t.Setenv("MCP_HTTP_PORT", "7777")
+	t.Setenv("MCP_HTTP_SECRET", "test-secret")
+	t.Setenv("TELEGRAM_TOKEN", "test-token")
+	t.Setenv("TELEGRAM_CHAT_ID", "test-chat")
+
+	dataDir := filepath.Join(tempHome, ".remote-copilot-mcp")
+	log := NewLogger(filepath.Join(dataDir, "test.log"))
+	defer log.Close()
+
+	pendingVersion := filepath.Join(dataDir, "bin", "sensorium-supervisor.new.exe.version")
+	if err := os.MkdirAll(filepath.Dir(pendingVersion), 0755); err != nil {
+		t.Fatalf("failed to create pending version directory: %v", err)
+	}
+	if err := os.WriteFile(pendingVersion, []byte("2.0.0"), 0644); err != nil {
+		t.Fatalf("failed to create stale pending version file: %v", err)
+	}
+
+	watcherLock := filepath.Join(dataDir, "watcher.lock")
+	if !AcquireLock(watcherLock, log) {
+		t.Fatal("failed to pre-acquire watcher lock")
+	}
+	defer ReleaseLock(watcherLock)
+
+	err := runSupervisor(false)
+	if err == nil {
+		t.Fatal("expected runSupervisor to fail when watcher lock is already held")
+	}
+	if !strings.Contains(err.Error(), "another supervisor instance") {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if _, statErr := os.Stat(pendingVersion); statErr != nil {
+		t.Fatalf("pending supervisor version file was unexpectedly modified: %v", statErr)
+	}
+}

package/supervisor/process.go

@@ -10,6 +10,7 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
+	"syscall"
 	"time"
 )
 
@@ -21,16 +22,44 @@ func SpawnMCPServer(cfg Config, log *Logger) (int, error) {
 		return 0, errors.New("empty MCP_START_COMMAND")
 	}
 
+	if err := os.MkdirAll(filepath.Dir(cfg.Paths.MCPStderrLog), 0755); err != nil {
+		return 0, fmt.Errorf("create MCP stderr log directory: %w", err)
+	}
+	stderrFile, err := os.OpenFile(cfg.Paths.MCPStderrLog, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+	if err != nil {
+		return 0, fmt.Errorf("open MCP stderr log: %w", err)
+	}
+
 	cmd := exec.Command(parts[0], parts[1:]...)
 	cmd.Env = os.Environ()
+	for k, v := range cfg.ResolvedProfileEnv {
+		if v == "" {
+			continue
+		}
+		cmd.Env = upsertEnv(cmd.Env, k, v)
+	}
+	if cfg.MCPHttpPort > 0 {
+		cmd.Env = upsertEnv(cmd.Env, "MCP_HTTP_PORT", strconv.Itoa(cfg.MCPHttpPort))
+	}
+	if cfg.MCPHttpSecret != "" {
+		cmd.Env = upsertEnv(cmd.Env, "MCP_HTTP_SECRET", cfg.MCPHttpSecret)
+	}
+	if cfg.TelegramToken != "" {
+		cmd.Env = upsertEnv(cmd.Env, "TELEGRAM_TOKEN", cfg.TelegramToken)
+	}
+	if cfg.TelegramChatID != "" {
+		cmd.Env = upsertEnv(cmd.Env, "TELEGRAM_CHAT_ID", cfg.TelegramChatID)
+	}
 	cmd.Stdin = nil
 	cmd.Stdout = nil
-	cmd.Stderr = nil
+	cmd.Stderr = stderrFile
 	setSysProcAttr(cmd)
 
 	log.Info("Starting MCP server: %s", cfg.MCPStartCommand)
+	log.Info("Capturing MCP server stderr to %s", cfg.Paths.MCPStderrLog)
 
 	if err := cmd.Start(); err != nil {
+		_ = stderrFile.Close()
 		return 0, fmt.Errorf("spawn MCP server: %w", err)
 	}
 
@@ -38,7 +67,10 @@ func SpawnMCPServer(cfg Config, log *Logger) (int, error) {
 	log.Info("MCP server started with PID %d", pid)
 
 	// Don't wait — detached process
-	go func() { _ = cmd.Wait() }()
+	go func() {
+		_ = cmd.Wait()
+		_ = stderrFile.Close()
+	}()
 
 	if err := writePIDFile(cfg.Paths.ServerPID, pid); err != nil {
 		log.Warn("Failed to write server PID file: %v", err)
@@ -47,6 +79,17 @@ func SpawnMCPServer(cfg Config, log *Logger) (int, error) {
 	return pid, nil
 }
 
+func upsertEnv(env []string, key, value string) []string {
+	prefix := key + "="
+	for i, kv := range env {
+		if strings.HasPrefix(kv, prefix) {
+			env[i] = prefix + value
+			return env
+		}
+	}
+	return append(env, prefix+value)
+}
+
 // KillProcess kills a process by PID. On Windows, uses taskkill /F /T for tree kill.
 func KillProcess(pid int, log *Logger) error {
 	if !IsProcessAlive(pid) {
@@ -72,7 +115,7 @@ func KillProcess(pid int, log *Logger) error {
 		log.Debug("KillProcess: FindProcess(%d) failed: %v", pid, err)
 		return err
 	}
-	if err := proc.Signal(os.Interrupt); err != nil {
+	if err := proc.Signal(syscall.SIGTERM); err != nil {
 		// Already dead
 		return nil
 	}
@@ -125,7 +168,7 @@ func IsProcessAlive(pid int) bool {
 	if err != nil {
 		return false
 	}
-	return proc.Signal(nil) == nil // signal 0 = existence check on Unix
+	return proc.Signal(syscall.Signal(0)) == nil // signal 0 = existence check on Unix
 }
 
 // --- PID File Helpers ---

package/supervisor/process_test.go

@@ -92,3 +92,17 @@ func TestListThreadPIDs_MissingDir(t *testing.T) {
 		t.Errorf("expected empty map for missing directory, got %d entries", len(result))
 	}
 }
+
+func TestUpsertEnv_ReplacesExistingAndAppendsMissing(t *testing.T) {
+	env := []string{"A=1", "B=2"}
+
+	env = upsertEnv(env, "B", "updated")
+	if env[1] != "B=updated" {
+		t.Fatalf("expected existing key to be replaced, got %q", env[1])
+	}
+
+	env = upsertEnv(env, "C", "3")
+	if env[len(env)-1] != "C=3" {
+		t.Fatalf("expected missing key to be appended, got %q", env[len(env)-1])
+	}
+}

package/supervisor/secrets.go

@@ -0,0 +1,95 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"strconv"
+
+	"github.com/zalando/go-keyring"
+
+	sv "github.com/andriyshevchenko/SecureVault/securevault-go"
+)
+
+const defaultKeyringService = "sensorium-supervisor"
+
+var keyringGet = keyring.Get
+
+// resolveSecretWithKeyring returns environment value first, then keyring fallback.
+// If both sources are unavailable, it returns an empty string.
+func resolveSecretWithKeyring(envKey, keyringService string) string {
+	if v := os.Getenv(envKey); v != "" {
+		return v
+	}
+
+	if keyringService == "" {
+		return ""
+	}
+
+	secret, err := keyringGet(keyringService, envKey)
+	if err != nil {
+		if errors.Is(err, keyring.ErrNotFound) {
+			return ""
+		}
+		fmt.Fprintf(os.Stderr, "WARN: keyring lookup failed for %s (service=%s): %v\n", envKey, keyringService, err)
+		return ""
+	}
+	return secret
+}
+
+// resolveIntWithKeyring parses an integer value from env first, then keyring fallback.
+// If parsing fails or no value exists, it returns fallback.
+func resolveIntWithKeyring(envKey, keyringService string, fallback int) int {
+	v := resolveSecretWithKeyring(envKey, keyringService)
+	if v == "" {
+		return fallback
+	}
+	parsed, err := strconv.Atoi(v)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "WARN: invalid integer for %s: %q\n", envKey, v)
+		return fallback
+	}
+	return parsed
+}
+
+// resolveFromSecureVault looks up envKey in the named SecureVault profile.
+// baseDir may be empty (defaults to %LOCALAPPDATA%\SecureVault).
+// Returns empty string on any error, with a warning for unexpected failures.
+func resolveFromSecureVault(profileName, envKey, baseDir string) string {
+	store := sv.NewStore(baseDir)
+	val, err := store.ResolveKey(profileName, envKey)
+	if err != nil {
+		if errors.Is(err, sv.ErrNotFound) || errors.Is(err, sv.ErrUnsupportedPlatform) {
+			return ""
+		}
+		fmt.Fprintf(os.Stderr, "WARN: securevault lookup failed for %s (profile=%s): %v\n", envKey, profileName, err)
+		return ""
+	}
+	return val
+}
+
+// resolveStringChain resolves a string config key using the chain:
+// environment variable → SecureVault profile → OS keyring → empty string.
+func resolveStringChain(envKey, svProfile, svBaseDir, keyringService string) string {
+	if v := os.Getenv(envKey); v != "" {
+		return v
+	}
+	if v := resolveFromSecureVault(svProfile, envKey, svBaseDir); v != "" {
+		return v
+	}
+	return resolveSecretWithKeyring(envKey, keyringService)
+}
+
+// resolveIntChain resolves an integer config key using the same chain as resolveStringChain.
+func resolveIntChain(envKey, svProfile, svBaseDir, keyringService string, fallback int) int {
+	v := resolveStringChain(envKey, svProfile, svBaseDir, keyringService)
+	if v == "" {
+		return fallback
+	}
+	parsed, err := strconv.Atoi(v)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "WARN: invalid integer for %s: %q\n", envKey, v)
+		return fallback
+	}
+	return parsed
+}

package/supervisor/secrets_securevault_test.go

@@ -0,0 +1,98 @@
+package main
+
+import (
+	"encoding/json"
+	"os"
+	"path/filepath"
+	"testing"
+
+	sv "github.com/andriyshevchenko/SecureVault/securevault-go"
+	"github.com/zalando/go-keyring"
+)
+
+// writeProfileFixture writes a minimal profiles.json to dir and returns the dir.
+func writeProfileFixture(t *testing.T, dir string, profiles []sv.Profile) {
+	t.Helper()
+	data, err := json.Marshal(profiles)
+	if err != nil {
+		t.Fatalf("marshal profiles: %v", err)
+	}
+	if err := os.WriteFile(filepath.Join(dir, "profiles.json"), data, 0600); err != nil {
+		t.Fatalf("write profiles.json: %v", err)
+	}
+}
+
+func TestResolveStringChain_EnvWins(t *testing.T) {
+	t.Setenv("TELEGRAM_TOKEN", "env-value")
+	dir := t.TempDir()
+	writeProfileFixture(t, dir, []sv.Profile{
+		{ID: "p1", Name: "TEST", Mappings: []sv.ProfileMapping{
+			{EnvVar: "TELEGRAM_TOKEN", SecretID: "no-cred"},
+		}},
+	})
+
+	got := resolveStringChain("TELEGRAM_TOKEN", "TEST", dir, "")
+	if got != "env-value" {
+		t.Errorf("resolveStringChain = %q, want env-value", got)
+	}
+}
+
+func TestResolveStringChain_SecureVaultFallback_MissingCred_UsesKeyring(t *testing.T) {
+	t.Setenv("TELEGRAM_TOKEN", "")
+	dir := t.TempDir()
+	writeProfileFixture(t, dir, []sv.Profile{
+		{ID: "p1", Name: "TEST", Mappings: []sv.ProfileMapping{
+			{EnvVar: "TELEGRAM_TOKEN", SecretID: "non-existent-cred"},
+		}},
+	})
+
+	orig := keyringGet
+	keyringGet = func(service, user string) (string, error) {
+		if service != "sensorium-supervisor" {
+			t.Fatalf("service = %q, want %q", service, "sensorium-supervisor")
+		}
+		if user != "TELEGRAM_TOKEN" {
+			t.Fatalf("user = %q, want %q", user, "TELEGRAM_TOKEN")
+		}
+		return "from-keyring", nil
+	}
+	t.Cleanup(func() { keyringGet = orig })
+
+	// Credential not in store → falls through to keyring.
+	got := resolveStringChain("TELEGRAM_TOKEN", "TEST", dir, "sensorium-supervisor")
+	if got != "from-keyring" {
+		t.Errorf("resolveStringChain = %q, want from-keyring", got)
+	}
+}
+
+func TestResolveStringChain_NoProfile_FallsToKeyring(t *testing.T) {
+	t.Setenv("TELEGRAM_TOKEN", "")
+
+	orig := keyringGet
+	keyringGet = func(service, user string) (string, error) {
+		return "", keyring.ErrNotFound
+	}
+	t.Cleanup(func() { keyringGet = orig })
+
+	// No profiles file in dir → securevault returns empty → keyring path taken.
+	got := resolveStringChain("TELEGRAM_TOKEN", "NONEXISTENT_PROFILE", t.TempDir(), "sensorium-supervisor")
+	if got != "" {
+		t.Errorf("resolveStringChain = %q, want empty", got)
+	}
+}
+
+func TestResolveIntChain_EnvWins(t *testing.T) {
+	t.Setenv("MCP_HTTP_PORT", "4567")
+	got := resolveIntChain("MCP_HTTP_PORT", "TEST", t.TempDir(), "", 0)
+	if got != 4567 {
+		t.Errorf("resolveIntChain = %d, want 4567", got)
+	}
+}
+
+func TestResolveIntChain_InvalidFallback(t *testing.T) {
+	t.Setenv("MCP_HTTP_PORT", "not-a-number")
+	got := resolveIntChain("MCP_HTTP_PORT", "TEST", t.TempDir(), "", 9999)
+	if got != 9999 {
+		t.Errorf("resolveIntChain invalid = %d, want fallback 9999", got)
+	}
+}