smol-symphony 0.2.0 → 0.3.1

package/dist/bin/symphony.js

@@ -1,794 +1,30 @@
 #!/usr/bin/env node
-// CLI entry. Usage:
-//   symphony [path-to-WORKFLOW.md] [--port <port>]
-//   symphony reconcile [path-to-WORKFLOW.md] [--force] [--port <port>]
-//   symphony rerun --check=<name> [path-to-WORKFLOW.md]
+// FCIS rewrite — the `symphony` binary ENTRYPOINT.
 //
-// Default workflow path is ./WORKFLOW.md.
+// Usage:
+//   symphony [path-to-WORKFLOW.yaml] [--port <port>] [--reconcile-force] [--verbose]
+//   symphony doctor    [path-to-WORKFLOW.yaml] [--port <port>]
+//   symphony reconcile [path-to-WORKFLOW.yaml] [--force] [--port <port>]
 //
-// The `reconcile` subcommand boots symphony exactly the same way as the bare
-// form; `--force` additionally requests an immediate reconcile pass (VM /
-// workspace / PR janitors) instead of waiting on the backstop tick.
-// `--reconcile-force` is kept as a top-level alias for ergonomics.
+// This file is intentionally a one-liner: the ENTIRE composition lives in the
+// single composition root (src/shell/main.ts — the one file allowed to import the
+// functional core). All this entrypoint does is invoke that root's `main()` and
+// translate an unhandled rejection into a non-zero exit. Keeping it this thin
+// means `package.json`'s `bin` target (dist/bin/symphony.js) and the `tsx`
+// dev/start scripts share exactly the wiring path the tests exercise via
+// `main(argv)`.
 //
-// The `rerun` subcommand (issue 36) invalidates one `run_in_vm` action's
-// content-hash cache entries so the next dispatch into the state hosting it
-// re-executes. It does not start a long-running process — it scans the
-// workflow's state actions for a matching name and `rm`s the per-name cache
-// namespace directory under `<cacheRoot>/actions/run_in_vm/<name>/`. The
-// per-execution hash is workspace-dependent (the agent's edits change the
-// tree); namespacing the cache by action name on disk means the CLI doesn't
-// need to know any per-issue workspace state to invalidate the right
-// entries.
-import path from 'node:path';
+// package.json declares:  "bin": { "symphony": "dist/bin/symphony.js" }
+// and dev scripts run this file directly via tsx (src/bin/symphony.ts).
 import process from 'node:process';
-import readline from 'node:readline';
-import { existsSync } from 'node:fs';
-import { parseCli } from './cli-args.js';
-import { loadWorkflow, watchWorkflow } from '../workflow-loader.js';
-import { scaffoldWorkflow, ScaffoldError } from '../scaffold.js';
-import { invalidateRunInVmByName } from '../actions/index.js';
-import { LocalMarkdownTracker } from '../trackers/local.js';
-import { WorkspaceManager, resolveGithubRepo } from '../workspace.js';
-import { GondolinVmClient } from '../agent/gondolin.js';
-import { CredentialSecretRegistry, buildAdapterCredentialSpecs, buildAdapterHooksConfig, } from '../agent/credential-secrets.js';
-import { defaultHostIdentityReaders } from '../agent/gondolin-creds-staging.js';
-import { KNOWN_ADAPTER_IDS } from '../agent/adapter-names.js';
-import { AgentRunner } from '../agent/runner.js';
-import { Orchestrator } from '../orchestrator.js';
-import { startHttpServer } from '../http.js';
-import { McpRegistry } from '../mcp.js';
-import { AcpBridge } from '../acp-bridge.js';
-import { CredentialTicker } from '../agent/credential-ticker.js';
-import { GhCliPrApi, Reconciler } from '../reconciler/index.js';
-import { closeLogFile, log, setLogFile, setLogVerbose } from '../logging.js';
-import { derivePrRouting } from '../workflow.js';
-/**
- * Walk every declared state's `actions:` for a run_in_vm whose `name` matches
- * `target`. Returns the first match; duplicates would let a single rerun
- * invalidate multiple entries, which is rarely intended (operator wants to
- * re-run *one* named check).
- */
-function findRunInVmByName(states, target) {
-    for (const [stateName, sc] of Object.entries(states)) {
-        if (!sc.actions)
-            continue;
-        for (const a of sc.actions) {
-            if (a.kind === 'run_in_vm' && a.name === target) {
-                return { state: stateName, action: a };
-            }
-        }
-    }
-    return null;
-}
-async function runRerunCheck(workflowPath, name) {
-    let cfg;
-    try {
-        ({ config: cfg } = await loadWorkflow(workflowPath));
-    }
-    catch (err) {
-        process.stderr.write(`error: failed to load workflow: ${err.message}\n`);
-        return 1;
-    }
-    const match = findRunInVmByName(cfg.states, name);
-    if (!match) {
-        process.stderr.write(`error: no run_in_vm action named "${name}" declared in WORKFLOW.md\n`);
-        return 2;
-    }
-    // Drop the per-name cache namespace directory. This invalidates every
-    // hash entry under that name regardless of which per-issue workspace the
-    // execution computed its hash against — the orchestrator's next dispatch
-    // re-executes the check because the namespace is empty.
-    await invalidateRunInVmByName(match.action);
-    process.stdout.write(`invalidated run_in_vm "${name}" (state=${match.state})\n`);
-    return 0;
-}
-/**
- * Read a single line from stdin with the given prompt. Resolves to the
- * trimmed input string (without the trailing newline). The readline interface
- * is closed before resolving so the process can exit cleanly afterwards.
- */
-function promptLine(message) {
-    const rl = readline.createInterface({
-        input: process.stdin,
-        output: process.stdout,
-    });
-    return new Promise((resolve) => {
-        rl.question(message, (answer) => {
-            rl.close();
-            resolve(answer);
-        });
-    });
-}
-/**
- * When the workflow file is missing and the operator is at an interactive
- * terminal, ask whether to scaffold a starter file. Returns true if the
- * scaffold was written (caller can continue boot), false otherwise (caller
- * should fall through to the usual "file not found" error).
- *
- * Non-interactive invocations (cron jobs, CI, container ENTRYPOINTs) skip the
- * prompt entirely and return false — silently scaffolding files into someone
- * else's working tree without a confirmed yes is the wrong default for a tool
- * that's usually run by an operator who knows where their workflow lives.
- */
-async function maybeScaffoldMissingWorkflow(workflowPath) {
-    if (!process.stdin.isTTY || !process.stdout.isTTY)
-        return false;
-    const answer = await promptLine(`WORKFLOW.md not found at ${workflowPath}.\nScaffold a starter workflow file here? [Y/n] `);
-    const normalized = answer.trim().toLowerCase();
-    // Default-accept: bare enter, "y", "yes". Anything else is "no".
-    const accept = normalized === '' || normalized === 'y' || normalized === 'yes';
-    if (!accept)
-        return false;
-    try {
-        const result = await scaffoldWorkflow({ workflowPath });
-        process.stdout.write(`wrote ${result.workflowPath}\n`);
-        process.stdout.write(`Edit it to point gondolin.image at your built agent image (npm run build:image), ` +
-            `then run \`symphony ${path.relative(process.cwd(), result.workflowPath) || workflowPath}\` again.\n`);
-        return true;
-    }
-    catch (err) {
-        const msg = err instanceof ScaffoldError ? err.message : err.message;
-        process.stderr.write(`error: scaffold failed: ${msg}\n`);
-        return false;
-    }
-}
-/**
- * Centralized startup-failure cleanup. Writes the message, closes the optional
- * HTTP listener and workflow watcher, flushes the persistent log sink, and
- * exits non-zero. Returns `never` so call sites can treat the path as a hard
- * terminator and TypeScript narrows away post-call code.
- *
- * `flushLogs` matters because `process.exit` does NOT drain pending WriteStream
- * writes — without `closeLogFile()` we'd lose the final lines symphony.log was
- * about to receive (the startup-failure stderr line itself is unaffected, but
- * any buffered `log.*` output would be dropped).
- */
-async function bailStartup(message, opts) {
-    process.stderr.write(message);
-    if (opts.http)
-        await opts.http.close().catch(() => undefined);
-    await opts.src.stop().catch(() => undefined);
-    await closeLogFile().catch(() => undefined);
-    process.exit(1);
-}
-/**
- * Handle the two early-exit subcommands that don't enter the orchestrator
- * graph: a missing workflow file (offer to scaffold, or fail), and the
- * `rerun --check=<name>` subcommand (invalidate one action's cache and exit).
- * Returns to the caller only on the happy path of `serve`/`reconcile` against
- * an existing workflow.
- */
-async function handlePreflight(cli, workflowPath) {
-    if (!existsSync(workflowPath)) {
-        // `rerun` operates on an existing workflow's action namespace; there is
-        // nothing to scaffold against. Same for `reconcile`, which only makes sense
-        // when a workflow already exists. Prompt only on the bare `serve` path.
-        if (cli.subcommand === 'serve') {
-            const scaffolded = await maybeScaffoldMissingWorkflow(workflowPath);
-            // Stop here on purpose: the operator hasn't finished filling in
-            // the gondolin.* / source-of-truth fields yet, and dispatching immediately
-            // would just fail at the first attempt with a confusing error. The
-            // scaffold message already tells them how to relaunch.
-            if (scaffolded)
-                process.exit(0);
-        }
-        process.stderr.write(`error: workflow file not found: ${workflowPath}\n`);
-        process.exit(2);
-    }
-    if (cli.subcommand === 'rerun') {
-        if (!cli.rerunCheck) {
-            process.stderr.write(`error: rerun requires --check=<name>\n`);
-            process.exit(2);
-        }
-        const code = await runRerunCheck(workflowPath, cli.rerunCheck);
-        process.exit(code);
-    }
-}
-/**
- * Start the workflow watcher, validate that this build can serve the parsed
- * tracker (currently `kind=local` only), and resolve the persistent log file
- * path. Mirrors stderr to disk so an agent reviewing a run after the fact
- * (typically inside a VM with the workspace + .symphony/logs/ mounted in) can
- * read orchestrator-side events — workflow reloads, dispatch decisions, action
- * results, reconciler ticks — alongside the per-issue JSONL run logs in the
- * same directory.
- *
- * Path resolution: `SYMPHONY_LOG_FILE` env override wins (`""` disables the
- * sink); otherwise `<logs.root>/symphony.log`. The directory is created on
- * demand. File-sink failure is swallowed: symphony continues on stderr only.
- */
-async function loadAndValidateConfig(workflowPath) {
-    let src;
-    try {
-        src = await watchWorkflow(workflowPath);
-    }
-    catch (err) {
-        process.stderr.write(`error: failed to load workflow: ${err.message}\n`);
-        process.exit(1);
-    }
-    const { definition, config } = src.current();
-    if (config.tracker.kind !== 'local') {
-        process.stderr.write(`error: this build supports tracker.kind=local only (got: ${config.tracker.kind || '<unset>'})\n`);
-        process.exit(2);
-    }
-    const envLogFile = process.env.SYMPHONY_LOG_FILE;
-    const logFile = envLogFile === undefined
-        ? path.join(config.logs.root, 'symphony.log')
-        : envLogFile === ''
-            ? null
-            : envLogFile;
-    setLogFile(logFile);
-    return { src, definition, config, envLogFile, logFile };
-}
-/**
- * Build the host credential pipeline for the Gondolin secret-substitution model
- * (replaces the credential proxy). There is no HTTP proxy server and no base-URL
- * injection: per-adapter specs carry the extractor/mint/flock-refresh logic, a
- * single shared `CredentialSecretRegistry` owns every live per-VM secretManager
- * and seeds it before first egress, and the per-adapter hooks configs (allowlist
- * + token-shaped placeholder + request/response hooks) thread into each dispatch's
- * `createHttpHooks`. The ticker fans `refreshAdapter` over every live adapter.
- */
-async function buildCredentialPipeline(config) {
-    // Resolve the host's NON-SECRET codex `chatgpt_account_id` once and bind it into
-    // the codex placeholder JWT's auth claim — without it codex-acp attempts a
-    // mid-turn token refresh (egress-blocked → 403 → refusal; the go-live finding).
-    // Best-effort: a missing/malformed auth.json yields null (claim omitted).
-    const codexAccountId = await defaultHostIdentityReaders().readCodexAccountId();
-    const specs = buildAdapterCredentialSpecs({ codexAccountId });
-    const adapterHooks = buildAllAdapterHooks(specs, config.egress.allowed_hosts);
-    const credentialRegistry = new CredentialSecretRegistry({
-        readToken: (adapterId) => specs[adapterId].readToken(),
-        refresh: (adapterId) => specs[adapterId].refresh(),
-    });
-    const credentialTicker = new CredentialTicker({
-        intervalMs: config.credentials.ticker_interval_ms,
-        // Fan a host-side refresh over every adapter; each adapter's flock +
-        // single-flight collapses concurrent ticks into one host refresh, and the
-        // registry seeds every live per-VM manager with the fresh value.
-        refreshAll: () => refreshAllAdapters(credentialRegistry),
-    });
-    return { credentialRegistry, adapterHooks, credentialTicker };
-}
-/**
- * Build the per-adapter `createHttpHooks` config map from the credential specs.
- * `egressAllowlist` is the general workspace dev-tooling firewall (npm/git/CDNs)
- * unioned into every adapter's `allowedHosts` (never into its substitution scope).
- */
-function buildAllAdapterHooks(specs, egressAllowlist) {
-    const out = {};
-    for (const id of KNOWN_ADAPTER_IDS) {
-        out[id] = buildAdapterHooksConfig(specs[id], egressAllowlist);
-    }
-    return out;
-}
-/** Drive a host-side refresh + fan-out for every adapter (the ticker cadence). */
-async function refreshAllAdapters(registry) {
-    for (const id of KNOWN_ADAPTER_IDS) {
-        await registry.refreshAdapter(id);
-    }
-}
-/**
- * Resolve the static Gondolin VM shape from config. Fail fast if no image is set
- * so a misconfigured workflow surfaces at boot, not mid-dispatch after the VM
- * bring-up cost is sunk.
- */
-function resolveGondolinVmConfig(config) {
-    const imagePath = config.gondolin.image;
-    if (!imagePath || imagePath.length === 0) {
-        throw new Error('gondolin: no VM image configured. Set gondolin.image (a build id / `name:tag` ref / ' +
-            'asset dir exported by `npm run build:image` — see images/agents) in WORKFLOW.md.');
-    }
-    return { imagePath, cpus: config.gondolin.cpus, memMib: config.gondolin.mem_mib };
-}
-/**
- * Build the in-process graph: tracker, workspaces, vmClient, mcp, acpBridge,
- * reconciler, runner, orchestrator. Wires the post-construction provider
- * callbacks (`reconciler.setIntendedVmProvider` / `setWorkspaceProviders` /
- * `setPrAutopilotProviders`) and the reload callback that propagates config
- * updates through every component.
- *
- * The Reconciler is constructed before the Orchestrator (the runner needs the
- * reconciler at its own construction time), so the vm reaper's
- * IntendedVmProvider and workspace providers are plugged in after the
- * orchestrator exists. The vm resource is only built when both `vmClient`
- * (passed at Reconciler construction) and an intended provider are wired.
- */
-async function buildOrchestratorGraph(opts) {
-    const { config, definition, src, envLogFile } = opts;
-    const tracker = new LocalMarkdownTracker(config.tracker);
-    // Materialize every declared state directory under tracker.root up front so
-    // the dashboard sees the full set of columns (including `holding` states like
-    // Triage) before any issue lands in them.
-    try {
-        await tracker.start();
-    }
-    catch (err) {
-        await bailStartup(`error: tracker init failed: ${err.message}\n`, { src });
-    }
-    const workspaces = new WorkspaceManager(config);
-    // Gondolin VM substrate (the in-process VM backend for the dispatch
-    // path). The runner builds a per-dispatch GondolinDispatcher over this client,
-    // and the Reconciler's VM reaper observes its session registry / runs its GC.
-    const vmClient = new GondolinVmClient();
-    const gondolinVmConfig = resolveGondolinVmConfig(config);
-    // Always instantiate the registry so a workflow reload that flips mcp.enabled from
-    // false to true takes effect without a process restart. The runner and HTTP routes
-    // gate behavior on cfg.mcp.enabled at runtime; an inactive registry holds no entries
-    // and answers all routes with "not active."
-    const mcp = new McpRegistry(tracker, {
-        states: config.states,
-        // The PR engine owns the merge state's workspace; pass the engine-enabled
-        // flag + the derived merge-state name so transitions into it defer terminal
-        // cleanup (issue 144 retired the old derived compatibility view).
-        prMerge: { enabled: config.pr.enabled, mergeState: derivePrRouting(config.states).mergeState },
-        now: () => Date.now(),
-    });
-    // ACP transport. The bridge listens on a loopback TCP port for the in-VM
-    // agent's dial-back (raw mapped TCP via Gondolin `tcp.hosts`). `loopbackOnly`
-    // hard-refuses a wider bind so the bearer-gated control channel can never be
-    // exposed to the host LAN. Started below alongside the HTTP server so a bind
-    // failure surfaces before we accept any dispatches.
-    const acpBridge = new AcpBridge({ loopbackOnly: true });
-    const { credentialRegistry, adapterHooks, credentialTicker } = await buildCredentialPipeline(config);
-    // Reconciler (issues 32, 33, 34). Owns the VM reaper (now Gondolin-backed:
-    // observes `vmClient.listSessions()` + runs `vmClient.gc()`, reaping
-    // `symphony-`-labelled sessions not in the orchestrator's intended set) + the
-    // per-issue workspace convergence. Bake is bypassed on the Gondolin dispatch
-    // path (the runner uses the prebuilt image directly); the bake resource stays
-    // for now and is deleted in a later PR.
-    const reconciler = new Reconciler(config, { vmClient });
-    // Build the runner with stubs first; we attach the orchestrator's provider callbacks after
-    // construction since they reference the orchestrator instance.
-    let orch;
-    const runner = new AgentRunner(config, definition, workspaces, tracker, vmClient, {
-        onRuntimeEvent: (id, ev) => orch.reportRuntimeEvent(id, ev),
-        onTokenUsage: (id, u) => orch.reportTokenUsage(id, u),
-        onRateLimits: (id, s) => orch.reportRateLimits(id, s),
-        onTurn: (id, turn) => orch.reportTurnStarted(id, turn),
-        onSessionStarted: (info) => orch.reportSessionStarted(info.issueId, {
-            sessionId: info.sessionId,
-            threadId: info.threadId,
-            pid: info.pid,
-        }),
-    }, mcp, acpBridge, 
-    // propose_followup sink (issue 36): orchestrator owns the tracker write
-    // path, mirroring how the MCP `propose_issue` tool routes through the
-    // tracker. The runner forwards the parent identifier so provenance is
-    // recorded the same way.
-    { proposeFollowup: (input) => orch.proposeFollowup(input) }, 
-    // Action snapshot sink (issue 36 AC5): per-attempt ledger surfaces on
-    // /api/v1/snapshot under reconciler.resources so the dashboard sees
-    // "Done.actions: …" alongside the bake/vm/workspace resources.
-    { recordActionResult: (id, snap) => orch.recordActionResult(id, snap) }, 
-    // Gondolin credential layer (replaced the credential proxy): the shared
-    // registry of per-VM secret managers, the per-adapter hooks configs, and the
-    // static VM shape (image + cpus/mem).
-    credentialRegistry, adapterHooks, gondolinVmConfig);
-    orch = new Orchestrator(config, definition, src, tracker, workspaces, runner, undefined, reconciler);
-    wirePostConstructionProviders({ reconciler, orch, config });
-    // The tracker view is resolved through a getter so reloaded config (e.g. a moved
-    // tracker.root, changed active/terminal states) is reflected by both the propagation
-    // callback and the HTTP UI without rebinding the server.
-    let liveCfg = config;
-    orch.setOnConfigReloaded(buildReloadHandler({
-        tracker,
-        workspaces,
-        runner,
-        mcp,
-        envLogFile,
-        onLiveCfg: (cfg) => {
-            liveCfg = cfg;
-        },
-    }));
-    return {
-        tracker,
-        workspaces,
-        mcp,
-        acpBridge,
-        credentialTicker,
-        reconciler,
-        runner,
-        orch,
-        vmClient,
-        getLiveCfg: () => liveCfg,
-    };
-}
-/**
- * Plug the orchestrator into the reconciler as the IntendedVmProvider, the
- * workspace intended/baseRef provider (with remove + create delegating back
- * through the orchestrator so the canonical workspace setup runs on
- * reconciler-driven passes), and the PR autopilot's set of providers (intended
- * set, PR/git adapters, transition router, cleanup callback, and workspace
- * re-materializer). Kept as a separate function so `buildOrchestratorGraph`
- * stays within the imperative-shell statement budget.
- */
-function wirePostConstructionProviders(opts) {
-    const { reconciler, orch, config } = opts;
-    reconciler.setIntendedVmProvider(orch);
-    // Removal is delegated to WorkspaceManager (a best-effort `rm -rf`) so janitor
-    // removals reuse the same path the runner does — the closure captures
-    // `workspaces` (whose config is kept live via updateConfig on reload), so a
-    // rotated `workspace.root` takes effect without rebuilding the reconciler.
-    reconciler.setWorkspaceProviders(orch, {
-        baseRef: orch,
-        remove: (identifier) => orch.removeWorkspace(identifier),
-        // Create callback for the reconciler's eager-workspace pass (issue 34).
-        // Delegates to `WorkspaceManager.ensureFor` via the orchestrator so the
-        // canonical clone+branch+remote setup fires on reconciler-driven creates
-        // the same way it does on dispatch. The intended-set provider supplies the
-        // issue's current state alongside the identifier (used for the merge-state
-        // guard); the per-identifier ensureFor lock collapses any race with
-        // concurrent dispatch into one setup pass.
-        create: (identifier, state) => orch.createWorkspace(identifier, state),
-    });
-    // PR autopilot wiring (issue 38). The Reconciler ignores this when
-    // `pr.enabled` is false (it stays a no-op pass), so we set the
-    // providers unconditionally — a reload that flips the flag picks them up
-    // via `updateConfig`'s rebuild path.
-    reconciler.setPrAutopilotProviders({
-        intended: orch,
-        // Pin the autopilot's `gh` calls to the configured target repo (env
-        // SYMPHONY_REPO or workspace.github_repo) so they don't silently fall back
-        // to cwd-inference in the out-of-repo layout the github_repo knob enables.
-        // Captured at startup; retargeting needs a restart (see GhCliPrApi.repo).
-        pr: new GhCliPrApi({ timeoutMs: 30_000, repo: resolveGithubRepo(config.workspace.github_repo) }),
-        transition: {
-            routeIssue: (input) => orch.routeIssueForAutopilot(input),
-        },
-        cleanup: {
-            removeWorkspace: (identifier) => orch.removeWorkspace(identifier),
-        },
-    });
-}
-/**
- * Returns the orchestrator's `onConfigReloaded` callback. On every reload it
- * forwards the freshly-parsed config to each long-lived component, retargets
- * the persistent log sink if `logs.root` rotated (unless the env override
- * locked it for the process lifetime), and re-materializes any state
- * directory the new workflow introduced. The orchestrator's own onChange
- * handler already forwards to the reconciler (so a config change rebinds its
- * managed resources); we do not re-forward here.
- */
-function buildReloadHandler(opts) {
-    const { tracker, workspaces, runner, mcp, envLogFile, onLiveCfg } = opts;
-    return (cfg, def) => {
-        tracker.updateConfig(cfg.tracker);
-        workspaces.updateConfig(cfg);
-        runner.updateConfig(cfg, def);
-        mcp.updateStates(cfg.states, {
-            enabled: cfg.pr.enabled,
-            mergeState: derivePrRouting(cfg.states).mergeState,
-        });
-        onLiveCfg(cfg);
-        if (envLogFile === undefined) {
-            setLogFile(path.join(cfg.logs.root, 'symphony.log'));
-        }
-        // Best-effort: a mkdir failure here would normally come from a tracker.root
-        // rotation that also failed at validateDispatch, so logging is enough.
-        void tracker.start().catch((err) => {
-            log.warn('tracker reinit after reload failed', { error: err.message });
-        });
-    };
-}
-/**
- * Bind the ACP TCP bridge, the optional HTTP server, and verify that — if MCP
- * is enabled — a reachable MCP URL can be constructed. Each bind/precondition
- * failure routes through `bailStartup` so the failure mode is uniform: write
- * to stderr, close any partial listeners, flush logs, exit non-zero.
- *
- * The ACP bridge must come up BEFORE we accept any dispatches: a bind failure
- * here is fatal because we cannot run agents without their transport. The MCP
- * precondition check is hoisted to boot so an in-VM agent doesn't fail mid-
- * dispatch (after the VM bring-up cost is sunk) with a misconfiguration the
- * operator could have caught at startup.
- */
-async function startTransports(opts) {
-    const { config, graph, cli, src, workflowPath } = opts;
-    // The Gondolin ACP channel is raw mapped TCP: the guest dials a synthetic name
-    // tunnelled to the host loopback via `tcp.hosts`. So the bridge binds loopback
-    // (the `reach_host`, default 127.0.0.1) and `loopbackOnly` hard-refuses a wider
-    // bind — never the config `bind_host` (which defaults to 0.0.0.0 for the old
-    // slirp gateway).
-    const bridgeHost = config.acp.bridge.reach_host;
-    try {
-        await graph.acpBridge.start(bridgeHost, config.acp.bridge.bind_port);
-    }
-    catch (err) {
-        await bailStartup(`error: failed to bind ACP bridge on ${bridgeHost}:${config.acp.bridge.bind_port}: ${err.message}\n`, { src });
-    }
-    startCredentialTicker(graph);
-    const http = await bindHttpServer({ config, graph, cli, src, workflowPath });
-    await checkMcpPrecondition({ config, graph, src, http });
-    return { http };
-}
-/**
- * Start the host credential ticker (Gondolin secret-substitution model). There
- * is NO proxy server to bind — the registry seeds each per-VM secret manager at
- * dispatch and the ticker drives a periodic host-side refresh fan-out. So this
- * is just the ticker timer; nothing here can fail-to-bind.
- */
-function startCredentialTicker(graph) {
-    graph.credentialTicker.start();
-}
-/**
- * Resolve the HTTP port (CLI override > workflow `server.port` > none), bind
- * if requested, and tell the MCP registry the *actually* bound port. The
- * registry needs the live port (not the requested one) so URLs injected into
- * agents point at the real listener — with `--port 0` the kernel picks an
- * ephemeral port that differs from what we asked for.
- */
-async function bindHttpServer(opts) {
-    const { config, graph, cli, src, workflowPath } = opts;
-    const httpPort = cli.port ?? config.server.port;
-    if (httpPort === null || httpPort === undefined)
-        return null;
-    try {
-        const http = await startHttpServer(graph.orch, {
-            port: httpPort,
-            host: config.server.host,
-            // Canonical per-state config in workflow declaration order. The HTTP
-            // dashboard reads role from here for pill colours, declared order for
-            // the on-disk listing, and approve/discard targets — each consumer
-            // filters by role on demand. The closure reads `liveCfg.states` on
-            // every request, and the reload callback reassigns `liveCfg` to the
-            // freshly-parsed config, so a workflow reload is reflected here
-            // without rebinding the server. Phase 3 wired the equivalent for the
-            // MCP registry via `mcp.updateStates`; this view is its dashboard twin.
-            getTrackerView: () => ({
-                trackerRoot: graph.getLiveCfg().tracker.root,
-                states: Object.entries(graph.getLiveCfg().states).map(([name, cfg]) => ({
-                    name,
-                    role: cfg.role,
-                })),
-                workflowPath,
-            }),
-            mcp: graph.mcp,
-            tracker: graph.tracker,
-        });
-        graph.mcp.setEffectivePort(http.port);
-        return http;
-    }
-    catch (err) {
-        // `await bailStartup(...)` resolves to `never` at runtime (the helper calls
-        // process.exit), but TS doesn't propagate `Promise<never>` through `await`
-        // for unreachability — `return` is what tells the type checker this branch
-        // doesn't fall through.
-        return await bailStartup(`error: failed to bind HTTP server on ${config.server.host}:${httpPort}: ${err.message}\n`, { src });
-    }
-}
-/**
- * MCP precondition check: with mcp.enabled (the default), every dispatch will
- * require a reachable MCP URL. Verify NOW that one can be constructed, rather
- * than letting each per-issue dispatch fail with the same error after VM
- * bring-up costs are sunk. Two failure modes:
- *
- *   1. mcp.enabled but no HTTP listener bound — `mcp.host_url` lets an operator
- *      point the in-VM agent at a reverse proxy but symphony itself must still
- *      serve `/api/v1/issues/<id>/mcp`. Without a listener, the override would
- *      advertise a URL nothing answers.
- *   2. mcp.enabled but the registry cannot build a URL (no port, no host_url).
- */
-async function checkMcpPrecondition(opts) {
-    const { config, graph, src, http } = opts;
-    if (!config.mcp.enabled)
-        return;
-    if (http === null) {
-        await bailStartup(`error: mcp.enabled=true but no HTTP server is configured. Symphony itself\n` +
-            `must bind a listener (set --port or server.port) so it can serve the MCP\n` +
-            `endpoint, even when mcp.host_url points the in-VM agent at a reverse proxy.\n`, { src });
-    }
-    const probeUrl = graph.mcp.buildUrl('startup-check', {
-        host: config.mcp.host,
-        explicit_host_url: config.mcp.explicit_host_url,
-    });
-    if (probeUrl === null) {
-        await bailStartup(`error: mcp.enabled=true but no MCP URL can be constructed. ` +
-            `Set --port, server.port, or mcp.host_url so the in-VM agent can reach ` +
-            `the symphony MCP endpoint.\n`, { http, src });
-    }
-}
-/**
- * Human-facing startup summary on stdout. Once a file sink is active (the
- * default), this is the only orchestrator-side console output: structured
- * `log.*` lines are routed to the log file, so the operator sees just this
- * banner — what's running, where the dashboard is, and where the detailed log
- * stream went. `--verbose` additionally mirrors the structured stream to the
- * console. The companion `symphony started` structured line carries the same
- * facts into the log file (and onto stderr under --verbose).
- */
-function printStartupBanner(opts) {
-    const { workflowPath, trackerRoot, host, http, logFile } = opts;
-    // Map wildcard bind addresses to a clickable loopback host for the URL.
-    const displayHost = host === '0.0.0.0' || host === '::' ? 'localhost' : host;
-    const dashboard = http === null ? '(disabled — pass --port or set server.port)' : `http://${displayHost}:${http.port}/`;
-    const logs = logFile === null ? '(disabled — structured logs on stderr)' : `${logFile}  (tail -f to follow)`;
-    process.stdout.write(`symphony\n` +
-        `  workflow      ${workflowPath}\n` +
-        `  tracker root  ${trackerRoot ?? '<unset>'}\n` +
-        `  dashboard     ${dashboard}\n` +
-        `  logs          ${logs}\n`);
-}
-/** Per-step ceiling for each graceful-teardown step (`orch.stop`, the ACP
- *  bridge, the HTTP listener). One stuck step — a wedged VM teardown, a
- *  half-open ACP socket — times out and the remaining steps still run, so a
- *  single hang can't wedge the whole shutdown (issue 152). */
-const SHUTDOWN_STEP_TIMEOUT_MS = 8_000;
-/** Hard ceiling on the entire graceful path. If teardown hasn't finished by
- *  here, we stop waiting, force-kill child VMs, and exit non-zero — Ctrl+C
- *  never appears dead, even when every per-step timeout is also wedged. */
-const SHUTDOWN_DEADLINE_MS = 15_000;
-/** Short cap on the log-sink flush during a force-quit. The VM SIGKILL itself is
- *  synchronous, so the only thing the forced path awaits is draining symphony.log;
- *  cap it so a wedged sink can't keep a second Ctrl+C from exiting promptly. */
-const FORCE_QUIT_FLUSH_TIMEOUT_MS = 2_000;
-/**
- * Race `work` against a `label`ed deadline. Rejects with a timeout Error if the
- * deadline wins; the underlying promise is left to settle on its own (we only
- * ever call this on the shutdown path, where the process exits shortly after).
- * The timer is `unref`'d so it can't by itself hold the event loop open.
- */
-function withTimeout(work, ms, label) {
-    return new Promise((resolve, reject) => {
-        const timer = setTimeout(() => reject(new Error(`${label} timed out after ${ms}ms`)), ms);
-        timer.unref();
-        work.then((v) => {
-            clearTimeout(timer);
-            resolve(v);
-        }, (e) => {
-            clearTimeout(timer);
-            reject(e);
-        });
-    });
-}
-/**
- * The graceful teardown sequence. Each step gets its own per-step timeout +
- * catch so one wedged teardown can't starve the steps below it (the issue's
- * `orch.stop()` no-catch/no-timeout wedge). `orch.stop()` signals every worker
- * to unwind (each closes its VM) but does NOT await them, so the trailing
- * `vmClient.killAllVms()` is the backstop that guarantees no orphaned qemu: a
- * no-op once every worker has closed its VM, and a synchronous SIGKILL of any
- * qemu still live when a slow/timed-out `orch.stop()` returns early.
- */
-async function gracefulStop(deps) {
-    const { graph, http, src } = deps;
-    await withTimeout(graph.orch.stop(), SHUTDOWN_STEP_TIMEOUT_MS, 'orch.stop').catch((err) => log.warn('shutdown: orch.stop did not finish cleanly', { error: err.message }));
-    await withTimeout(graph.acpBridge.stop(), SHUTDOWN_STEP_TIMEOUT_MS, 'acpBridge.stop').catch((err) => log.warn('shutdown: acpBridge.stop did not finish cleanly', { error: err.message }));
-    graph.credentialTicker.stop();
-    if (http) {
-        await withTimeout(http.close(), SHUTDOWN_STEP_TIMEOUT_MS, 'http.close').catch((err) => log.warn('shutdown: http.close did not finish cleanly', { error: err.message }));
-    }
-    await src.stop().catch(() => undefined);
-    // Synchronous backstop: SIGKILL any qemu whose VM didn't close in time. No
-    // await — it can't hang, and a clean stop has already deregistered every VM.
-    killChildVms(graph);
-    await closeLogFile().catch(() => undefined);
-}
-/**
- * Force-quit path: SIGKILL any live child VMs (so a forced exit doesn't orphan
- * `qemu-system-x86_64`), flush the log sink under a short cap, then exit
- * non-zero. The kill is synchronous so a second Ctrl+C terminates immediately —
- * the only awaited step is the bounded log flush.
- */
-async function forceQuit(message, graph) {
-    process.stdout.write(`\n${message}\n`);
-    log.warn('shutdown: force-quitting — SIGKILL child VMs then exit');
-    killChildVms(graph);
-    await withTimeout(closeLogFile(), FORCE_QUIT_FLUSH_TIMEOUT_MS, 'closeLogFile').catch(() => undefined);
-    process.exit(1);
-}
-/**
- * Synchronously SIGKILL every live VM's backing qemu (issue 152). The qemu
- * processes are direct children of this in-process orchestrator; left alone,
- * `process.exit` reparents them to init and they survive as orphans. Bounded and
- * best-effort — never throws — so both the graceful backstop and the force path
- * can call it on the way out without risking a hang.
- */
-function killChildVms(graph) {
-    try {
-        const killed = graph.vmClient.killAllVms();
-        if (killed > 0)
-            log.info('shutdown: SIGKILL child VMs', { count: killed });
-    }
-    catch (err) {
-        log.warn('shutdown: killAllVms threw', { error: err.message });
-    }
-}
-/**
- * Run the graceful path under a hard deadline. On a clean stop we exit 0; if the
- * deadline elapses (teardown wedged past even the per-step timeouts) we fall
- * through to the force-quit path so the process never hangs on Ctrl+C.
- */
-async function runGracefulShutdown(signal, deps) {
-    process.stdout.write(`\nsymphony: ${signal} received — shutting down gracefully… (press Ctrl+C again to force-quit)\n`);
-    log.info('shutdown requested', { signal });
-    try {
-        await withTimeout(gracefulStop(deps), SHUTDOWN_DEADLINE_MS, 'graceful shutdown');
-    }
-    catch (err) {
-        log.warn('graceful shutdown exceeded deadline; forcing', { error: err.message });
-        await forceQuit(`symphony: graceful shutdown exceeded ${SHUTDOWN_DEADLINE_MS}ms — force-quitting; killing child VMs.`, deps.graph);
-    }
-    process.stdout.write('symphony: shutdown complete.\n');
-    process.exit(0);
-}
-/**
- * Wire SIGINT/SIGTERM. The first signal runs the deadline-bounded graceful path;
- * a SECOND signal force-quits immediately (force-killing child VMs first)
- * instead of re-entering the same in-flight teardown (issue 152). With no
- * console output the old graceful shutdown looked dead on a wedged VM/bridge
- * teardown, so both paths announce on the operator's console.
- */
-function installShutdownHandlers(deps) {
-    let shuttingDown = false;
-    const onSignal = (signal) => {
-        if (shuttingDown) {
-            void forceQuit(`symphony: ${signal} again — graceful shutdown is taking too long, force-quitting; killing child VMs.`, deps.graph);
-            return;
-        }
-        shuttingDown = true;
-        void runGracefulShutdown(signal, deps);
-    };
-    process.on('SIGINT', () => onSignal('SIGINT'));
-    process.on('SIGTERM', () => onSignal('SIGTERM'));
-}
-async function main() {
-    const cli = parseCli(process.argv.slice(2));
-    // --verbose / --foreground: mirror structured logs to the console even when
-    // the file sink is active. Set before any log.* call so every line honors it.
-    setLogVerbose(cli.verbose);
-    const workflowPath = path.resolve(cli.workflow);
-    await handlePreflight(cli, workflowPath);
-    const { src, config, definition, envLogFile, logFile } = await loadAndValidateConfig(workflowPath);
-    const graph = await buildOrchestratorGraph({ config, definition, src, envLogFile });
-    const { http } = await startTransports({ config, graph, cli, src, workflowPath });
-    try {
-        await graph.orch.start();
-    }
-    catch (err) {
-        await bailStartup(`startup failed: ${err.message}\n`, { http, src });
-    }
-    if (cli.reconcileForce) {
-        // `--reconcile-force`: request an immediate reconcile pass (VM/workspace/PR
-        // janitors) instead of waiting on the backstop tick. The bake artifact this
-        // flag used to invalidate is gone (the agent image is built ahead of time),
-        // so it now just triggers an eager pass.
-        log.info('reconcile --force requested');
-        void graph.orch.triggerReconcile({ force: true }).catch((err) => log.warn('reconcile --force failed', { error: err.message }));
-    }
-    log.info('symphony started', {
-        workflow: workflowPath,
-        workspace_root: config.workspace.root,
-        tracker_root: config.tracker.root,
-        log_file: logFile ?? '<disabled>',
-        poll_interval_ms: config.polling.interval_ms,
-        // Actually-bound port (differs from the requested port with --port 0); null
-        // when no HTTP listener is configured.
-        http_port: http?.port ?? null,
-    });
-    // Clean human-facing summary on stdout. With a file sink active (the default)
-    // the structured line above goes to the log file only, so this banner is what
-    // the operator sees on the console (issue 118).
-    printStartupBanner({
-        workflowPath,
-        trackerRoot: config.tracker.root,
-        host: config.server.host,
-        http,
-        logFile,
-    });
-    // Graceful shutdown is async and can stall on a wedged VM/bridge teardown
-    // (issue 152), so the handlers run the graceful path under a hard deadline,
-    // announce on the operator's console, and escalate a SECOND signal to an
-    // immediate force-quit (force-killing child VMs first) instead of re-entering
-    // the same hanging await.
-    installShutdownHandlers({ graph, http, src });
-}
-main().catch(async (err) => {
-    process.stderr.write(`fatal: ${err.message}\n${err.stack ?? ''}\n`);
-    // setLogFile() may have been called before main() threw; flush the sink so
-    // any log.* lines emitted before the fault reach symphony.log.
-    await closeLogFile().catch(() => undefined);
+import { main } from '../shell/main.js';
+// The composition root installs its own SIGINT/SIGTERM graceful-shutdown handlers
+// and owns every process.exit on the preflight / bind-failure paths. Here we only
+// backstop a thrown/ rejected main() — a startup failure that escaped bailStartup
+// — with a fatal log + non-zero exit so the operator sees the cause.
+main(process.argv.slice(2)).catch((err) => {
+    const e = err;
+    process.stderr.write(`fatal: ${e.message}\n${e.stack ?? ''}\n`);
     process.exit(1);
 });
 //# sourceMappingURL=symphony.js.map