svamp-cli 0.2.36 → 0.2.38

package/dist/{agentCommands-oLVbSvBZ.mjs → agentCommands-Djr_xWX-.mjs}

@@ -148,7 +148,7 @@ async function sessionBroadcast(action, args) {
   console.log(`Broadcast sent: ${action}`);
 }
 async function connectToMachineService() {
-  const { connectAndGetMachine } = await import('./commands-Cik0LIAl.mjs');
+  const { connectAndGetMachine } = await import('./commands-B8Q1ig7j.mjs');
   return connectAndGetMachine();
 }
 async function inboxSend(targetSessionId, opts) {
@@ -165,7 +165,7 @@ async function inboxSend(targetSessionId, opts) {
   }
   const { server, machine } = await connectToMachineService();
   try {
-    const { resolveSessionId } = await import('./commands-Cik0LIAl.mjs');
+    const { resolveSessionId } = await import('./commands-B8Q1ig7j.mjs');
     const sessions = await machine.listSessions();
     const match = resolveSessionId(sessions, targetSessionId);
     const fullTargetId = match.sessionId;

package/dist/cli.mjs

@@ -1,4 +1,4 @@
-import { s as startDaemon, b as stopDaemon, d as daemonStatus } from './run-BKBv5P9v.mjs';
+import { s as startDaemon, b as stopDaemon, d as daemonStatus } from './run-D-1qvfLH.mjs';
 import 'os';
 import 'fs/promises';
 import 'fs';
@@ -36,7 +36,7 @@ async function main() {
     await logoutFromHypha();
   } else if (subcommand === "daemon") {
     if (daemonSubcommand === "restart") {
-      const { restartDaemon } = await import('./run-BKBv5P9v.mjs').then(function (n) { return n.k; });
+      const { restartDaemon } = await import('./run-D-1qvfLH.mjs').then(function (n) { return n.k; });
       await restartDaemon();
       process.exit(0);
     }
@@ -82,10 +82,11 @@ async function main() {
       process.exit(0);
     } else if (daemonSubcommand === "start-supervised") {
       const { spawn: spawnChild } = await import('child_process');
-      const { appendFileSync, mkdirSync, existsSync: fsExists } = await import('fs');
+      const { appendFileSync, mkdirSync } = await import('fs');
       const { join: pathJoin } = await import('path');
       const osModule = await import('os');
       const svampHome = process.env.SVAMP_HOME || pathJoin(osModule.homedir(), ".svamp");
+      mkdirSync(svampHome, { recursive: true });
       const logsDir = pathJoin(svampHome, "logs");
       mkdirSync(logsDir, { recursive: true });
       const logFile = pathJoin(logsDir, "daemon-supervised.log");
@@ -97,13 +98,27 @@ async function main() {
         } catch {
         }
       };
+      const {
+        acquireSupervisorLockWithRetry,
+        releaseSupervisorLock,
+        findOrphanedSyncPids,
+        killOrphanedSyncs
+      } = await import('./supervisorLock-DwNAn0VN.mjs');
       const supervisorPidFile = pathJoin(svampHome, "supervisor.pid");
+      const lock = acquireSupervisorLockWithRetry(supervisorPidFile, process.pid);
+      if (!lock.acquired) {
+        log(`Another supervisor is already running (PID ${lock.heldBy}) \u2014 exiting`);
+        console.error(`svamp daemon: another supervisor is already running (PID ${lock.heldBy}).`);
+        process.exit(0);
+      }
       try {
-        appendFileSync(supervisorPidFile, "");
-      } catch {
+        const orphans = findOrphanedSyncPids(process.pid);
+        if (orphans.length > 0) {
+          await killOrphanedSyncs(orphans, { log, gracePeriodMs: 3e3 });
+        }
+      } catch (err) {
+        log(`Orphan scan failed (non-fatal): ${err?.message || err}`);
       }
-      const { writeFileSync: wfs } = await import('fs');
-      wfs(supervisorPidFile, String(process.pid), "utf-8");
       const extraSyncArgs = [];
       if (args.includes("--no-auto-continue")) extraSyncArgs.push("--no-auto-continue");
       const BASE_DELAY_MS = 2e3;
@@ -188,11 +203,7 @@ async function main() {
           setTimeout(() => clearInterval(checkStop), delay + 100);
         });
       }
-      try {
-        const { unlinkSync: us } = await import('fs');
-        us(supervisorPidFile);
-      } catch {
-      }
+      releaseSupervisorLock(supervisorPidFile, process.pid);
       process.exit(0);
     } else if (daemonSubcommand === "start-sync") {
       const noAutoContinue = args.includes("--no-auto-continue");
@@ -246,7 +257,7 @@ async function main() {
       console.error("svamp serve: Serve commands are not available in sandboxed sessions.");
       process.exit(1);
     }
-    const { handleServeCommand } = await import('./serveCommands-Cgq6Vif4.mjs');
+    const { handleServeCommand } = await import('./serveCommands-B2vQJyUt.mjs');
     await handleServeCommand();
     process.exit(0);
   } else if (subcommand === "process" || subcommand === "proc") {
@@ -255,7 +266,7 @@ async function main() {
       console.error("svamp process: Process commands are not available in sandboxed sessions.");
       process.exit(1);
     }
-    const { processCommand } = await import('./commands-B4qmyXeM.mjs');
+    const { processCommand } = await import('./commands-BpW-hioi.mjs');
     let machineId;
     const processArgs = args.slice(1);
     const mIdx = processArgs.findIndex((a) => a === "--machine" || a === "-m");
@@ -273,7 +284,7 @@ async function main() {
   } else if (!subcommand || subcommand === "start") {
     await handleInteractiveCommand();
   } else if (subcommand === "--version" || subcommand === "-v") {
-    const pkg = await import('./package-DDUrcHYU.mjs').catch(() => ({ default: { version: "unknown" } }));
+    const pkg = await import('./package-CcU8sNV_.mjs').catch(() => ({ default: { version: "unknown" } }));
     console.log(`svamp version: ${pkg.default.version}`);
   } else {
     console.error(`Unknown command: ${subcommand}`);
@@ -282,7 +293,7 @@ async function main() {
   }
 }
 async function handleInteractiveCommand() {
-  const { runInteractive } = await import('./run-sAfJWYld.mjs');
+  const { runInteractive } = await import('./run-BStlzTCG.mjs');
   const interactiveArgs = subcommand === "start" ? args.slice(1) : args;
   let directory = process.cwd();
   let resumeSessionId;
@@ -327,7 +338,7 @@ async function handleAgentCommand() {
     return;
   }
   if (agentArgs[0] === "list") {
-    const { KNOWN_ACP_AGENTS, KNOWN_MCP_AGENTS: KNOWN_MCP_AGENTS2 } = await import('./run-BKBv5P9v.mjs').then(function (n) { return n.i; });
+    const { KNOWN_ACP_AGENTS, KNOWN_MCP_AGENTS: KNOWN_MCP_AGENTS2 } = await import('./run-D-1qvfLH.mjs').then(function (n) { return n.i; });
     console.log("Known agents:");
     for (const [name, config2] of Object.entries(KNOWN_ACP_AGENTS)) {
       console.log(`  ${name.padEnd(12)} ${config2.command} ${config2.args.join(" ")}  (ACP)`);
@@ -339,7 +350,7 @@ async function handleAgentCommand() {
     console.log('Use "svamp agent -- <command> [args]" for a custom ACP agent.');
     return;
   }
-  const { resolveAcpAgentConfig, KNOWN_MCP_AGENTS } = await import('./run-BKBv5P9v.mjs').then(function (n) { return n.i; });
+  const { resolveAcpAgentConfig, KNOWN_MCP_AGENTS } = await import('./run-D-1qvfLH.mjs').then(function (n) { return n.i; });
   let cwd = process.cwd();
   const filteredArgs = [];
   for (let i = 0; i < agentArgs.length; i++) {
@@ -363,12 +374,12 @@ async function handleAgentCommand() {
   console.log(`Starting ${config.agentName} agent in ${cwd}...`);
   let backend;
   if (KNOWN_MCP_AGENTS[config.agentName]) {
-    const { CodexMcpBackend } = await import('./run-BKBv5P9v.mjs').then(function (n) { return n.j; });
+    const { CodexMcpBackend } = await import('./run-D-1qvfLH.mjs').then(function (n) { return n.j; });
     backend = new CodexMcpBackend({ cwd, log: logFn });
   } else {
-    const { AcpBackend } = await import('./run-BKBv5P9v.mjs').then(function (n) { return n.h; });
-    const { GeminiTransport } = await import('./run-BKBv5P9v.mjs').then(function (n) { return n.G; });
-    const { DefaultTransport } = await import('./run-BKBv5P9v.mjs').then(function (n) { return n.D; });
+    const { AcpBackend } = await import('./run-D-1qvfLH.mjs').then(function (n) { return n.h; });
+    const { GeminiTransport } = await import('./run-D-1qvfLH.mjs').then(function (n) { return n.G; });
+    const { DefaultTransport } = await import('./run-D-1qvfLH.mjs').then(function (n) { return n.D; });
     const transportHandler = config.agentName === "gemini" ? new GeminiTransport() : new DefaultTransport(config.agentName);
     backend = new AcpBackend({
       agentName: config.agentName,
@@ -495,7 +506,7 @@ async function handleSessionCommand() {
       process.exit(1);
     }
   }
-  const { sessionList, sessionSpawn, sessionStop, sessionInfo, sessionMessages, sessionAttach, sessionMachines, sessionSend, sessionWait, sessionShare, sessionRalphStart, sessionRalphCancel, sessionRalphStatus, sessionInboxSend, sessionInboxList, sessionInboxRead, sessionInboxReply, sessionInboxClear } = await import('./commands-Cik0LIAl.mjs');
+  const { sessionList, sessionSpawn, sessionStop, sessionInfo, sessionMessages, sessionAttach, sessionMachines, sessionSend, sessionWait, sessionShare, sessionRalphStart, sessionRalphCancel, sessionRalphStatus, sessionInboxSend, sessionInboxList, sessionInboxRead, sessionInboxReply, sessionInboxClear } = await import('./commands-B8Q1ig7j.mjs');
   const parseFlagStr = (flag, shortFlag) => {
     for (let i = 1; i < sessionArgs.length; i++) {
       if ((sessionArgs[i] === flag || shortFlag) && i + 1 < sessionArgs.length) {
@@ -555,7 +566,7 @@ async function handleSessionCommand() {
         allowDomain.push(sessionArgs[++i]);
       }
     }
-    const { parseShareArg } = await import('./commands-Cik0LIAl.mjs');
+    const { parseShareArg } = await import('./commands-B8Q1ig7j.mjs');
     const shareEntries = share.map((s) => parseShareArg(s));
     await sessionSpawn(agent, dir, targetMachineId, {
       message,
@@ -641,7 +652,7 @@ async function handleSessionCommand() {
       console.error("Usage: svamp session approve <session-id> [request-id] [--json]");
       process.exit(1);
     }
-    const { sessionApprove } = await import('./commands-Cik0LIAl.mjs');
+    const { sessionApprove } = await import('./commands-B8Q1ig7j.mjs');
     const approveReqId = sessionArgs[2] && !sessionArgs[2].startsWith("--") ? sessionArgs[2] : void 0;
     await sessionApprove(sessionArgs[1], approveReqId, targetMachineId, {
       json: hasFlag("--json")
@@ -651,7 +662,7 @@ async function handleSessionCommand() {
       console.error("Usage: svamp session deny <session-id> [request-id] [--json]");
       process.exit(1);
     }
-    const { sessionDeny } = await import('./commands-Cik0LIAl.mjs');
+    const { sessionDeny } = await import('./commands-B8Q1ig7j.mjs');
     const denyReqId = sessionArgs[2] && !sessionArgs[2].startsWith("--") ? sessionArgs[2] : void 0;
     await sessionDeny(sessionArgs[1], denyReqId, targetMachineId, {
       json: hasFlag("--json")
@@ -687,7 +698,7 @@ async function handleSessionCommand() {
       console.error("Usage: svamp session set-title <title>");
       process.exit(1);
     }
-    const { sessionSetTitle } = await import('./agentCommands-oLVbSvBZ.mjs');
+    const { sessionSetTitle } = await import('./agentCommands-Djr_xWX-.mjs');
     await sessionSetTitle(title);
   } else if (sessionSubcommand === "set-link") {
     const url = sessionArgs[1];
@@ -696,7 +707,7 @@ async function handleSessionCommand() {
       process.exit(1);
     }
     const label = sessionArgs[2] && !sessionArgs[2].startsWith("--") ? sessionArgs[2] : void 0;
-    const { sessionSetLink } = await import('./agentCommands-oLVbSvBZ.mjs');
+    const { sessionSetLink } = await import('./agentCommands-Djr_xWX-.mjs');
     await sessionSetLink(url, label);
   } else if (sessionSubcommand === "notify") {
     const message = sessionArgs[1];
@@ -705,7 +716,7 @@ async function handleSessionCommand() {
       process.exit(1);
     }
     const level = parseFlagStr("--level") || "info";
-    const { sessionNotify } = await import('./agentCommands-oLVbSvBZ.mjs');
+    const { sessionNotify } = await import('./agentCommands-Djr_xWX-.mjs');
     await sessionNotify(message, level);
   } else if (sessionSubcommand === "broadcast") {
     const action = sessionArgs[1];
@@ -713,7 +724,7 @@ async function handleSessionCommand() {
       console.error("Usage: svamp session broadcast <action> [args...]\nActions: open-canvas <url> [label], close-canvas, toast <message>");
       process.exit(1);
     }
-    const { sessionBroadcast } = await import('./agentCommands-oLVbSvBZ.mjs');
+    const { sessionBroadcast } = await import('./agentCommands-Djr_xWX-.mjs');
     await sessionBroadcast(action, sessionArgs.slice(2).filter((a) => !a.startsWith("--")));
   } else if (sessionSubcommand === "inbox") {
     const inboxSubcmd = sessionArgs[1];
@@ -724,7 +735,7 @@ async function handleSessionCommand() {
         process.exit(1);
       }
       if (agentSessionId) {
-        const { inboxSend } = await import('./agentCommands-oLVbSvBZ.mjs');
+        const { inboxSend } = await import('./agentCommands-Djr_xWX-.mjs');
         await inboxSend(sessionArgs[2], {
           body: sessionArgs[3],
           subject: parseFlagStr("--subject"),
@@ -739,7 +750,7 @@ async function handleSessionCommand() {
       }
     } else if (inboxSubcmd === "list" || inboxSubcmd === "ls") {
       if (agentSessionId && !sessionArgs[2]) {
-        const { inboxList } = await import('./agentCommands-oLVbSvBZ.mjs');
+        const { inboxList } = await import('./agentCommands-Djr_xWX-.mjs');
         await inboxList({
           unread: hasFlag("--unread"),
           limit: parseFlagInt("--limit"),
@@ -761,7 +772,7 @@ async function handleSessionCommand() {
         process.exit(1);
       }
       if (agentSessionId && !sessionArgs[3]) {
-        const { inboxList } = await import('./agentCommands-oLVbSvBZ.mjs');
+        const { inboxList } = await import('./agentCommands-Djr_xWX-.mjs');
         await sessionInboxRead(agentSessionId, sessionArgs[2], targetMachineId);
       } else if (sessionArgs[3]) {
         await sessionInboxRead(sessionArgs[2], sessionArgs[3], targetMachineId);
@@ -771,7 +782,7 @@ async function handleSessionCommand() {
       }
     } else if (inboxSubcmd === "reply") {
       if (agentSessionId && sessionArgs[2] && sessionArgs[3] && !sessionArgs[4]) {
-        const { inboxReply } = await import('./agentCommands-oLVbSvBZ.mjs');
+        const { inboxReply } = await import('./agentCommands-Djr_xWX-.mjs');
         await inboxReply(sessionArgs[2], sessionArgs[3]);
       } else if (sessionArgs[2] && sessionArgs[3] && sessionArgs[4]) {
         await sessionInboxReply(sessionArgs[2], sessionArgs[3], sessionArgs[4], targetMachineId);
@@ -807,7 +818,7 @@ async function handleMachineCommand() {
     return;
   }
   if (machineSubcommand === "share") {
-    const { machineShare } = await import('./commands-Cik0LIAl.mjs');
+    const { machineShare } = await import('./commands-B8Q1ig7j.mjs');
     let machineId;
     const shareArgs = [];
     for (let i = 1; i < machineArgs.length; i++) {
@@ -837,7 +848,7 @@ async function handleMachineCommand() {
     }
     await machineShare(machineId, { add, remove, list, configPath, showConfig });
   } else if (machineSubcommand === "exec") {
-    const { machineExec } = await import('./commands-Cik0LIAl.mjs');
+    const { machineExec } = await import('./commands-B8Q1ig7j.mjs');
     let machineId;
     let cwd;
     const cmdParts = [];
@@ -857,7 +868,7 @@ async function handleMachineCommand() {
     }
     await machineExec(machineId, command, cwd);
   } else if (machineSubcommand === "info") {
-    const { machineInfo } = await import('./commands-Cik0LIAl.mjs');
+    const { machineInfo } = await import('./commands-B8Q1ig7j.mjs');
     let machineId;
     for (let i = 1; i < machineArgs.length; i++) {
       if ((machineArgs[i] === "--machine" || machineArgs[i] === "-m") && i + 1 < machineArgs.length) {
@@ -877,10 +888,10 @@ async function handleMachineCommand() {
         level = machineArgs[++i];
       }
     }
-    const { machineNotify } = await import('./agentCommands-oLVbSvBZ.mjs');
+    const { machineNotify } = await import('./agentCommands-Djr_xWX-.mjs');
     await machineNotify(message, level);
   } else if (machineSubcommand === "ls") {
-    const { machineLs } = await import('./commands-Cik0LIAl.mjs');
+    const { machineLs } = await import('./commands-B8Q1ig7j.mjs');
     let machineId;
     let showHidden = false;
     let path;

package/dist/{commands-Cik0LIAl.mjs → commands-B8Q1ig7j.mjs}

@@ -2,7 +2,7 @@ import { existsSync, readFileSync } from 'node:fs';
 import { execSync } from 'node:child_process';
 import { resolve, join } from 'node:path';
 import os from 'node:os';
-import { l as loadSecurityContextConfig, e as resolveSecurityContext, f as buildSecurityContextFromFlags, m as mergeSecurityContexts, c as connectToHypha } from './run-BKBv5P9v.mjs';
+import { l as loadSecurityContextConfig, e as resolveSecurityContext, f as buildSecurityContextFromFlags, m as mergeSecurityContexts, c as connectToHypha } from './run-D-1qvfLH.mjs';
 import 'os';
 import 'fs/promises';
 import 'fs';

package/dist/{commands-B4qmyXeM.mjs → commands-BpW-hioi.mjs}

@@ -1,11 +1,11 @@
 import { writeFileSync, readFileSync } from 'fs';
 import { resolve } from 'path';
-import { connectAndGetMachine } from './commands-Cik0LIAl.mjs';
+import { connectAndGetMachine } from './commands-B8Q1ig7j.mjs';
 import 'node:fs';
 import 'node:child_process';
 import 'node:path';
 import 'node:os';
-import './run-BKBv5P9v.mjs';
+import './run-D-1qvfLH.mjs';
 import 'os';
 import 'fs/promises';
 import 'url';

package/dist/index.mjs

@@ -1,4 +1,4 @@
-export { c as connectToHypha, d as daemonStatus, g as getHyphaServerUrl, r as registerMachineService, a as registerSessionService, s as startDaemon, b as stopDaemon } from './run-BKBv5P9v.mjs';
+export { c as connectToHypha, d as daemonStatus, g as getHyphaServerUrl, r as registerMachineService, a as registerSessionService, s as startDaemon, b as stopDaemon } from './run-D-1qvfLH.mjs';
 import 'os';
 import 'fs/promises';
 import 'fs';

package/dist/package-CcU8sNV_.mjs

@@ -0,0 +1,63 @@
+var name = "svamp-cli";
+var version = "0.2.38";
+var description = "Svamp CLI — AI workspace daemon on Hypha Cloud";
+var author = "Amun AI AB";
+var license = "SEE LICENSE IN LICENSE";
+var type = "module";
+var bin = {
+	svamp: "./bin/svamp.mjs"
+};
+var files = [
+	"dist",
+	"bin"
+];
+var main = "./dist/index.mjs";
+var exports$1 = {
+	".": "./dist/index.mjs",
+	"./cli": "./dist/cli.mjs"
+};
+var scripts = {
+	build: "rm -rf dist && tsc --noEmit && pkgroll",
+	typecheck: "tsc --noEmit",
+	test: "npx tsx test/test-authorize.mjs && npx tsx test/test-session-helpers.mjs && npx tsx test/test-cli-routing.mjs && npx tsx test/test-security-context.mjs && npx tsx test/test-isolation-decision.mjs && npx tsx test/test-ralph-loop.mjs && npx tsx test/test-message-helpers.mjs && npx tsx test/test-agent-config.mjs && npx tsx test/test-wrap-command.mjs && npx tsx test/test-credential-staging.mjs && npx tsx test/test-output-formatters.mjs && npx tsx test/test-agent-types.mjs && npx tsx test/test-transport.mjs && npx tsx test/test-session-update-handlers.mjs && npx tsx test/test-session-scanner.mjs && npx tsx test/test-hypha-client.mjs && npx tsx test/test-hook-settings.mjs && npx tsx test/test-session-service-logic.mjs && npx tsx test/test-daemon-persistence.mjs && npx tsx test/test-detect-isolation.mjs && npx tsx test/test-machine-service-logic.mjs && npx tsx test/test-interactive-helpers.mjs && npx tsx test/test-codex-backend.mjs && npx tsx test/test-acp-backend.mjs && npx tsx test/test-acp-bridge.mjs && npx tsx test/test-hook-server.mjs && npx tsx test/test-session-commands.mjs && npx tsx test/test-interactive-console.mjs && npx tsx test/test-session-messages.mjs && npx tsx test/test-skills.mjs && npx tsx test/test-agent-grouping.mjs && npx tsx test/test-ralph-loop-integration.mjs && npx tsx test/test-ralph-loop-modes.mjs && npx tsx test/test-machine-list-directory.mjs && npx tsx test/test-service-commands.mjs && npx tsx test/test-supervisor.mjs && npx tsx test/test-supervisor-lock.mjs && npx tsx test/test-clear-detection.mjs && npx tsx test/test-session-consolidation.mjs && npx tsx test/test-inbox.mjs && npx tsx test/test-session-rpc-dispatch.mjs && npx tsx test/test-sandbox-cli.mjs && npx tsx test/test-serve-manager.mjs && npx tsx test/test-serve-stability.mjs && npx tsx test/test-frpc-e2e.mjs --unit-only",
+	"test:hypha": "node --no-warnings test/test-hypha-service.mjs",
+	dev: "tsx src/cli.ts",
+	"dev:daemon": "tsx src/cli.ts daemon start-sync",
+	"test:e2e": "node --no-warnings test/e2e-session-tests.mjs",
+	"test:frpc": "npx tsx test/test-frpc-e2e.mjs"
+};
+var dependencies = {
+	"@agentclientprotocol/sdk": "^0.14.1",
+	"@modelcontextprotocol/sdk": "^1.25.3",
+	"hypha-rpc": "0.21.36",
+	"node-pty": "1.2.0-beta.11",
+	ws: "^8.18.0",
+	yaml: "^2.8.2",
+	zod: "^3.24.4"
+};
+var devDependencies = {
+	"@types/node": ">=20",
+	"@types/ws": "^8.5.14",
+	pkgroll: "^2.14.2",
+	tsx: "^4.20.6",
+	typescript: "5.9.3"
+};
+var packageManager = "yarn@1.22.22";
+var _package = {
+	name: name,
+	version: version,
+	description: description,
+	author: author,
+	license: license,
+	type: type,
+	bin: bin,
+	files: files,
+	main: main,
+	exports: exports$1,
+	scripts: scripts,
+	dependencies: dependencies,
+	devDependencies: devDependencies,
+	packageManager: packageManager
+};
+
+export { author, bin, _package as default, dependencies, description, devDependencies, exports$1 as exports, files, license, main, name, packageManager, scripts, type, version };

package/dist/{run-sAfJWYld.mjs → run-BStlzTCG.mjs}

@@ -2,7 +2,7 @@ import{createRequire as _pkgrollCR}from"node:module";const require=_pkgrollCR(im
 import os from 'node:os';
 import { join, resolve } from 'node:path';
 import { mkdirSync, writeFileSync, existsSync, unlinkSync, readFileSync, watch } from 'node:fs';
-import { c as connectToHypha, a as registerSessionService } from './run-BKBv5P9v.mjs';
+import { c as connectToHypha, a as registerSessionService } from './run-D-1qvfLH.mjs';
 import { createServer } from 'node:http';
 import { spawn } from 'node:child_process';
 import { createInterface } from 'node:readline';

package/dist/{run-BKBv5P9v.mjs → run-D-1qvfLH.mjs}

@@ -4922,6 +4922,14 @@ var credentialStaging = /*#__PURE__*/Object.freeze({
     stageCredentialsForSharing: stageCredentialsForSharing
 });
 
+function shouldIsolate(input) {
+  if (input.forceIsolation) return true;
+  const sessionCtx = input.sessionSecurityContext;
+  if (sessionCtx === null) return false;
+  if (sessionCtx !== void 0) return true;
+  return input.optionsSecurityContext !== null && input.optionsSecurityContext !== void 0;
+}
+
 const DEFAULT_PROBE_INTERVAL_S = 10;
 const DEFAULT_PROBE_TIMEOUT_S = 5;
 const DEFAULT_PROBE_FAILURE_THRESHOLD = 3;
@@ -6300,6 +6308,20 @@ async function startDaemon(options) {
   process.on("SIGINT", () => requestShutdown("os-signal"));
   process.on("SIGTERM", () => requestShutdown("os-signal"));
   process.on("SIGUSR1", () => requestShutdown("os-signal-cleanup"));
+  const { watchParentLiveness } = await import('./supervisorLock-DwNAn0VN.mjs');
+  const cancelParentWatchdog = watchParentLiveness({
+    intervalMs: 5e3,
+    onParentDeath: () => {
+      logger.log("Supervisor process died \u2014 sync daemon shutting down to avoid orphan state");
+      requestShutdown("supervisor-died");
+    }
+  });
+  process.on("exit", () => {
+    try {
+      cancelParentWatchdog();
+    } catch {
+    }
+  });
   process.on("uncaughtException", (error) => {
     if (shutdownRequested) return;
     logger.error("Uncaught exception (non-fatal, daemon continues):", error);
@@ -6440,7 +6462,7 @@ async function startDaemon(options) {
   const supervisor = new ProcessSupervisor(join(SVAMP_HOME, "processes"));
   await supervisor.init();
   const tunnels = /* @__PURE__ */ new Map();
-  const { ServeManager } = await import('./serveManager-XPnOLqQ4.mjs');
+  const { ServeManager } = await import('./serveManager-MqY_0frw.mjs');
   const serveManager = new ServeManager(SVAMP_HOME, (msg) => logger.log(`[SERVE] ${msg}`), hyphaServerUrl);
   ensureAutoInstalledSkills(logger).catch(() => {
   });
@@ -6585,8 +6607,7 @@ async function startDaemon(options) {
             }
           });
         }, buildIsolationConfig2 = function(dir) {
-          if (!options2.forceIsolation && !sessionMetadata.sharing?.enabled) return null;
-          if (sessionMetadata.securityContext === null) return null;
+          if (!shouldIsolateSession()) return null;
           const method = isolationCapabilities.preferred;
           if (!method) return null;
           const detail = isolationCapabilities.details[method];
@@ -6603,10 +6624,10 @@ async function startDaemon(options) {
               trustOverride: true
             };
           }
-          if (sessionMetadata.sharing?.enabled && stagedCredentials) {
+          if (stagedCredentials) {
             config.credentialStagingPath = stagedCredentials.homePath;
           }
-          const activeSecurityContext = sessionMetadata.securityContext ?? options2.securityContext;
+          const activeSecurityContext = getActiveSecurityContext();
           if (activeSecurityContext) {
             config = applySecurityContext(config, activeSecurityContext);
           }
@@ -6743,6 +6764,12 @@ async function startDaemon(options) {
           "auto-approve-all": "bypassPermissions"
         };
         const toClaudePermissionMode = (mode) => CLAUDE_PERMISSION_MODE_MAP[mode] || mode;
+        const getActiveSecurityContext = () => sessionMetadata.securityContext ?? options2.securityContext;
+        const shouldIsolateSession = () => shouldIsolate({
+          forceIsolation: options2.forceIsolation,
+          sessionSecurityContext: sessionMetadata.securityContext,
+          optionsSecurityContext: options2.securityContext
+        });
         let isolationCleanupFiles = [];
         const spawnClaude = (initialMessage, meta) => {
           const effectiveMeta = { ...lastSpawnMeta, ...meta };
@@ -6786,7 +6813,7 @@ async function startDaemon(options) {
             if (wrapped.cleanupFiles) isolationCleanupFiles = wrapped.cleanupFiles;
             sessionMetadata = { ...sessionMetadata, isolationMethod: isoConfig.method };
             logger.log(`[Session ${sessionId}] Isolation: ${isoConfig.method} (binary: ${isoConfig.binaryPath})`);
-          } else if (options2.forceIsolation || sessionMetadata.sharing?.enabled) {
+          } else if (shouldIsolateSession()) {
             logger.log(`[Session ${sessionId}] WARNING: No isolation runtime (nono/docker/podman) available. Session is NOT sandboxed.`);
             sessionMetadata = { ...sessionMetadata, isolationMethod: void 0 };
           } else {
@@ -6797,18 +6824,15 @@ async function startDaemon(options) {
           delete spawnEnv.CLAUDECODE;
           spawnEnv.SVAMP_SESSION_ID = sessionId;
           delete spawnEnv.SVAMP_SANDBOXED;
-          if (sessionMetadata.sharing?.enabled && stagedCredentials) {
+          if (isoConfig && stagedCredentials) {
             Object.assign(spawnEnv, stagedCredentials.env);
             const filtered = {};
             for (const [k, v] of Object.entries(spawnEnv)) {
               if (v !== void 0) filtered[k] = v;
             }
             spawnEnv = sanitizeEnvForSharing(filtered);
-            logger.log(`[Session ${sessionId}] Credential staging: HOME=${stagedCredentials.homePath}`);
-            if (sessionMetadata.securityContext) {
-              spawnEnv.SVAMP_SANDBOXED = "1";
-              logger.log(`[Session ${sessionId}] Sandbox mode: ON (securityContext present)`);
-            }
+            spawnEnv.SVAMP_SANDBOXED = "1";
+            logger.log(`[Session ${sessionId}] Credential staging: HOME=${stagedCredentials.homePath}, SVAMP_SANDBOXED=1`);
           }
           const child = spawn$1(spawnCommand, spawnArgs, {
             cwd: directory,
@@ -7419,6 +7443,14 @@ The automated loop has finished. Review the progress above and let me know if yo
               return { success: false, message: "Session was stopped during restart." };
             }
             if (claudeResumeId) {
+              if (!stagedCredentials && shouldIsolateSession()) {
+                try {
+                  stagedCredentials = await stageCredentialsForSharing(sessionId);
+                  logger.log(`[Session ${sessionId}] Credentials staged at ${stagedCredentials.homePath} (runtime enable)`);
+                } catch (err) {
+                  logger.log(`[Session ${sessionId}] WARNING: Runtime credential staging failed: ${err.message}.`);
+                }
+              }
               spawnClaude(void 0, { permissionMode: currentPermissionMode });
               sessionService.updateMetadata(sessionMetadata);
               logger.log(`[Session ${sessionId}] Claude respawned with --resume ${claudeResumeId}`);
@@ -7435,12 +7467,12 @@ The automated loop has finished. Review the progress above and let me know if yo
             isRestartingClaude = false;
           }
         };
-        if (sessionMetadata.sharing?.enabled) {
+        if (shouldIsolateSession()) {
           try {
             stagedCredentials = await stageCredentialsForSharing(sessionId);
             logger.log(`[Session ${sessionId}] Credentials staged at ${stagedCredentials.homePath}`);
           } catch (err) {
-            logger.log(`[Session ${sessionId}] WARNING: Credential staging failed: ${err.message}. Shared users may have access to ~/.claude history.`);
+            logger.log(`[Session ${sessionId}] WARNING: Credential staging failed: ${err.message}.`);
           }
         }
         let processMessageQueueRef;
@@ -8357,7 +8389,8 @@ The automated loop has finished. Review the progress above and let me know if yo
         const writeSvampConfigPatchAcp = svampConfigChecker.writeConfig;
         const permissionHandler = new HyphaPermissionHandler(shouldAutoAllow2, logger.log);
         let agentIsoConfig;
-        if ((options2.forceIsolation || sessionMetadata.sharing?.enabled) && isolationCapabilities.preferred) {
+        const agentShouldIsolate = Boolean(options2.forceIsolation) || Boolean(options2.securityContext);
+        if (agentShouldIsolate && isolationCapabilities.preferred) {
           const method = isolationCapabilities.preferred;
           const detail = isolationCapabilities.details[method];
           if (detail.found && detail.verified !== false) {

package/dist/{serveCommands-Cgq6Vif4.mjs → serveCommands-B2vQJyUt.mjs}

@@ -52,7 +52,7 @@ async function handleServeCommand() {
   }
 }
 async function serveAdd(args, machineId) {
-  const { connectAndGetMachine } = await import('./commands-Cik0LIAl.mjs');
+  const { connectAndGetMachine } = await import('./commands-B8Q1ig7j.mjs');
   const pos = positionalArgs(args);
   const name = pos[0];
   if (!name) {
@@ -84,7 +84,7 @@ async function serveAdd(args, machineId) {
   }
 }
 async function serveRemove(args, machineId) {
-  const { connectAndGetMachine } = await import('./commands-Cik0LIAl.mjs');
+  const { connectAndGetMachine } = await import('./commands-B8Q1ig7j.mjs');
   const pos = positionalArgs(args);
   const name = pos[0];
   if (!name) {
@@ -104,7 +104,7 @@ async function serveRemove(args, machineId) {
   }
 }
 async function serveList(args, machineId) {
-  const { connectAndGetMachine } = await import('./commands-Cik0LIAl.mjs');
+  const { connectAndGetMachine } = await import('./commands-B8Q1ig7j.mjs');
   const all = hasFlag(args, "--all", "-a");
   const json = hasFlag(args, "--json");
   const sessionId = getFlag(args, "--session");
@@ -137,7 +137,7 @@ async function serveList(args, machineId) {
   }
 }
 async function serveInfo(machineId) {
-  const { connectAndGetMachine } = await import('./commands-Cik0LIAl.mjs');
+  const { connectAndGetMachine } = await import('./commands-B8Q1ig7j.mjs');
   const { machine, server } = await connectAndGetMachine(machineId);
   try {
     const info = await machine.serveInfo();

package/dist/{serveManager-XPnOLqQ4.mjs → serveManager-MqY_0frw.mjs}

@@ -258,13 +258,14 @@ class ServeManager {
   // auth proxy public port
   caddyPort = 0;
   // Caddy internal port
-  frpcTunnel = null;
+  /** Per-mount frpc tunnel — each mount gets its own subdomain `static-<name>-<hash>`. */
+  mountTunnels = /* @__PURE__ */ new Map();
+  /** hostname (lowercased, no port) → mount name. Updated when tunnels connect. */
+  hostToMount = /* @__PURE__ */ new Map();
   caddy = null;
   proxyServer = null;
-  serviceUrl = null;
   auth = null;
   persistFile;
-  serviceName = "static-serve";
   log;
   hyphaServerUrl;
   constructor(svampHome, logger, hyphaServerUrl) {
@@ -300,19 +301,31 @@ class ServeManager {
     if (this.caddy?.isRunning) {
       await this.caddy.addMount(name, resolvedDir);
     }
+    await this.startMountTunnel(name);
     this.persist();
     const url = this.getMountUrl(name);
-    this.log(`Mount added: ${name} \u2192 ${resolvedDir} (${url})`);
-    return { url, mount };
+    this.log(`Mount added: ${name} \u2192 ${resolvedDir} (${url ?? "tunnel pending"})`);
+    return { url: url || "", mount };
   }
   /**
-   * Remove a mount. If no mounts remain, stop Caddy + tunnel.
+   * Remove a mount. If no mounts remain, stop Caddy + auth proxy.
    */
   async removeMount(name) {
     if (!this.mounts.has(name)) {
       throw new Error(`Mount '${name}' not found`);
     }
     this.mounts.delete(name);
+    const tunnel = this.mountTunnels.get(name);
+    if (tunnel) {
+      try {
+        tunnel.destroy();
+      } catch {
+      }
+      this.mountTunnels.delete(name);
+    }
+    for (const [host, mountName] of this.hostToMount.entries()) {
+      if (mountName === name) this.hostToMount.delete(host);
+    }
     if (this.caddy?.isRunning) {
       try {
         await this.caddy.removeMount(name);
@@ -337,16 +350,21 @@ class ServeManager {
     return all;
   }
   /**
-   * Get server info (URL, port, running state, mount count).
+   * Get server info — each mount has its own URL (per-mount subdomain).
    */
   getInfo() {
     const running = this.caddy?.isRunning ?? false;
+    const firstMount = this.mounts.values().next().value;
+    const firstUrl = firstMount ? this.getMountUrl(firstMount.name) : null;
     return {
-      url: this.serviceUrl,
+      url: firstUrl,
       port: running ? this.caddy?.port ?? this.port : 0,
       running,
       mountCount: this.mounts.size,
-      mounts: Array.from(this.mounts.values())
+      mounts: Array.from(this.mounts.values()).map((m) => ({
+        ...m,
+        url: this.getMountUrl(m.name) || void 0
+      }))
     };
   }
   /**
@@ -370,6 +388,13 @@ class ServeManager {
       if (restoredCount > 0) {
         this.log(`Restoring ${restoredCount} mount(s)...`);
         await this.ensureRunning();
+        for (const m of this.mounts.values()) {
+          try {
+            await this.startMountTunnel(m.name);
+          } catch (err) {
+            this.log(`Failed to start tunnel for restored mount '${m.name}': ${err.message}`);
+          }
+        }
         this.persist();
       }
     } catch (err) {
@@ -377,14 +402,18 @@ class ServeManager {
     }
   }
   /**
-   * Shut down auth proxy + Caddy + frpc tunnel.
+   * Shut down auth proxy + Caddy + all per-mount frpc tunnels.
    */
   async shutdown() {
-    if (this.frpcTunnel) {
-      this.frpcTunnel.destroy();
-      this.frpcTunnel = null;
-      this.log("frpc tunnel stopped");
+    for (const [name, tunnel] of this.mountTunnels.entries()) {
+      try {
+        tunnel.destroy();
+      } catch {
+      }
+      this.log(`frpc tunnel for '${name}' stopped`);
     }
+    this.mountTunnels.clear();
+    this.hostToMount.clear();
     if (this.proxyServer) {
       await new Promise((resolve) => this.proxyServer.close(() => resolve()));
       this.proxyServer = null;
@@ -395,18 +424,19 @@ class ServeManager {
       this.log("Caddy stopped");
     }
     this.auth?.destroy();
-    this.serviceUrl = null;
   }
   // ── Internal ─────────────────────────────────────────────────────────
+  /** Get the public URL for a mount (mount-specific subdomain). */
   getMountUrl(name) {
-    const base = this.serviceUrl || `http://127.0.0.1:${this.port}`;
-    return `${base}/${name}/`;
+    const tunnel = this.mountTunnels.get(name);
+    const url = tunnel?.getUrls().get(this.port);
+    if (url) return `${url}/`;
+    if (this.port) return `http://127.0.0.1:${this.port}/${name}/`;
+    return null;
   }
   persist() {
     const state = {
-      mounts: Array.from(this.mounts.values()),
-      serviceName: this.serviceName,
-      serviceUrl: this.serviceUrl
+      mounts: Array.from(this.mounts.values())
     };
     try {
       fs.writeFileSync(this.persistFile, JSON.stringify(state, null, 2));
@@ -414,7 +444,7 @@ class ServeManager {
       this.log(`Error persisting serve state: ${err.message}`);
     }
   }
-  /** Start auth proxy + Caddy + frpc tunnel if not already running. */
+  /** Start auth proxy + Caddy if not already running. Per-mount tunnels are started separately. */
   async ensureRunning() {
     if (this.caddy?.isRunning) return;
     this.caddyPort = await findFreePort();
@@ -434,14 +464,27 @@ class ServeManager {
     this.log(`Caddy file server started on 127.0.0.1:${this.caddyPort}`);
     await this.startAuthProxy();
     this.log(`Auth proxy started on 127.0.0.1:${this.port}`);
-    await this.ensureTunnel();
   }
   /** Start a lightweight Node.js HTTP proxy with auth + upload support. */
   startAuthProxy() {
     return new Promise((resolve, reject) => {
       const server = http.createServer(async (req, res) => {
         const url = new URL(req.url || "/", `http://127.0.0.1:${this.port}`);
-        if (url.pathname === "/__login__") {
+        const incomingHost = (req.headers.host || "").split(":")[0].toLowerCase();
+        const hostMount = this.hostToMount.get(incomingHost);
+        let mountName;
+        let mountResolvedByHost = false;
+        let basePath;
+        if (hostMount && this.mounts.has(hostMount)) {
+          mountName = hostMount;
+          mountResolvedByHost = true;
+          basePath = url.pathname;
+        } else {
+          mountName = url.pathname.split("/").filter(Boolean)[0];
+          basePath = mountName ? url.pathname.slice(`/${mountName}`.length) || "/" : url.pathname;
+        }
+        const mount = mountName ? this.mounts.get(mountName) : void 0;
+        if (basePath === "/__login__" || url.pathname === "/__login__") {
           const returnUrl = url.searchParams.get("return") || "/";
           const safeReturn = returnUrl.startsWith("/__login__") ? "/" : returnUrl;
           const html = this.auth ? this.auth.getLoginPageHtml(safeReturn) : "<h1>Auth not configured</h1>";
@@ -452,8 +495,6 @@ class ServeManager {
           res.end(html);
           return;
         }
-        const mountName = url.pathname.split("/").filter(Boolean)[0];
-        const mount = mountName ? this.mounts.get(mountName) : void 0;
         if (mount && mount.access !== "public") {
           const userEmail = this.auth ? await this.auth.authenticate(req).catch(() => null) : null;
           const allowed = this.auth ? this.auth.isAuthorized(userEmail, mount.access, mount.ownerEmail) : false;
@@ -469,8 +510,7 @@ class ServeManager {
           }
         }
         if (req.method === "PUT" && mount) {
-          const subPath = url.pathname.slice(`/${mountName}`.length) || "/";
-          const filePath = path.join(mount.directory, subPath);
+          const filePath = path.join(mount.directory, basePath);
           fs.mkdirSync(path.dirname(filePath), { recursive: true });
           const ws = fs.createWriteStream(filePath);
           req.pipe(ws);
@@ -485,8 +525,7 @@ class ServeManager {
           return;
         }
         if (req.method === "DELETE" && mount) {
-          const subPath = url.pathname.slice(`/${mountName}`.length) || "/";
-          const filePath = path.join(mount.directory, subPath);
+          const filePath = path.join(mount.directory, basePath);
           try {
             fs.unlinkSync(filePath);
             res.writeHead(204);
@@ -497,10 +536,15 @@ class ServeManager {
           }
           return;
         }
+        let proxyPath = req.url || "/";
+        if (mountResolvedByHost && mountName) {
+          const search = url.search || "";
+          proxyPath = `/${mountName}${basePath === "/" ? "/" : basePath}${search}`;
+        }
         const proxyReq = http.request({
           hostname: "127.0.0.1",
           port: this.caddyPort,
-          path: req.url,
+          path: proxyPath,
           method: req.method,
           headers: req.headers
         }, (proxyRes) => {
@@ -520,42 +564,82 @@ class ServeManager {
       server.on("error", reject);
     });
   }
-  /** Get frpc tunnel health status, or null if no tunnel. */
+  /** Get aggregate health: returns the status of the worst-failing per-mount tunnel. */
   getTunnelHealth() {
-    return this.frpcTunnel?.status ?? null;
+    if (this.mountTunnels.size === 0) return null;
+    let worst = null;
+    for (const t of this.mountTunnels.values()) {
+      const s = t.status;
+      if (worst === null) {
+        worst = s;
+        continue;
+      }
+      if (s.failingDurationMs > worst.failingDurationMs) worst = s;
+    }
+    return worst;
   }
-  /** Destroy and recreate the frpc tunnel with fresh config. */
+  /** Destroy and recreate all per-mount tunnels with fresh configs. */
   async recreateTunnel() {
-    if (this.frpcTunnel) {
-      this.log("Recreating frpc tunnel (persistent failure detected)...");
-      this.frpcTunnel.destroy();
-      this.frpcTunnel = null;
+    this.log("Recreating all per-mount frpc tunnels (persistent failure detected)...");
+    const names = Array.from(this.mountTunnels.keys());
+    for (const name of names) {
+      const t = this.mountTunnels.get(name);
+      if (t) {
+        try {
+          t.destroy();
+        } catch {
+        }
+      }
+      this.mountTunnels.delete(name);
+    }
+    this.hostToMount.clear();
+    for (const name of names) {
+      try {
+        await this.startMountTunnel(name);
+      } catch (err) {
+        this.log(`Failed to restart tunnel for '${name}': ${err.message}`);
+      }
     }
-    await this.ensureTunnel();
   }
-  /** Start frpc tunnel for the Caddy port. */
-  async ensureTunnel() {
+  /** Start a per-mount frpc tunnel pointing the auth-proxy port to a dedicated subdomain. */
+  async startMountTunnel(mountName) {
+    if (this.mountTunnels.has(mountName)) return;
+    if (!this.port) throw new Error("Auth proxy not running \u2014 call ensureRunning() first");
+    const subdomainSafe = mountName.toLowerCase().replace(/[^a-z0-9-]/g, "-");
+    const tunnelName = `static-${subdomainSafe}`;
     try {
       const { FrpcTunnel } = await import('./frpc-DzRFx60H.mjs');
-      this.frpcTunnel = new FrpcTunnel({
-        name: this.serviceName,
+      const tunnel = new FrpcTunnel({
+        name: tunnelName,
         ports: [this.port],
-        onError: (err) => this.log(`frpc error: ${err.message}`),
+        onError: (err) => this.log(`frpc error [${mountName}]: ${err.message}`),
         onConnect: () => {
-          const url = this.frpcTunnel?.getUrls().get(this.port);
-          if (url) {
-            this.serviceUrl = url;
-            this.log(`frpc tunnel connected. URL: ${this.serviceUrl}`);
+          const url2 = tunnel.getUrls().get(this.port);
+          if (url2) {
+            try {
+              const host = new URL(url2).hostname.toLowerCase();
+              this.hostToMount.set(host, mountName);
+            } catch {
+            }
+            this.log(`frpc tunnel connected for '${mountName}'. URL: ${url2}/`);
           }
         },
-        onDisconnect: () => this.log("frpc tunnel disconnected, will auto-reconnect...")
+        onDisconnect: () => this.log(`frpc tunnel for '${mountName}' disconnected, will auto-reconnect...`)
       });
-      await this.frpcTunnel.connect();
-      this.serviceUrl = this.frpcTunnel.getUrls().get(this.port) || null;
-      this.log(`frpc tunnel started. URL: ${this.serviceUrl}`);
+      await tunnel.connect();
+      this.mountTunnels.set(mountName, tunnel);
+      const url = tunnel.getUrls().get(this.port);
+      if (url) {
+        try {
+          const host = new URL(url).hostname.toLowerCase();
+          this.hostToMount.set(host, mountName);
+        } catch {
+        }
+        this.log(`frpc tunnel started for '${mountName}'. URL: ${url}/`);
+      }
     } catch (err) {
-      this.log(`Warning: could not expose server externally: ${err.message}`);
-      this.log(`Server available locally at http://127.0.0.1:${this.port}`);
+      this.log(`Warning: could not expose mount '${mountName}' externally: ${err.message}`);
+      this.log(`Mount '${mountName}' available locally at http://127.0.0.1:${this.port}/${mountName}/`);
     }
   }
 }

package/dist/supervisorLock-DwNAn0VN.mjs

@@ -0,0 +1,157 @@
+import { existsSync, readFileSync, unlinkSync, openSync, writeSync, closeSync } from 'node:fs';
+import { execFileSync } from 'node:child_process';
+
+function acquireSupervisorLock(pidFile, pid = process.pid) {
+  try {
+    const fd = openSync(pidFile, "wx");
+    try {
+      writeSync(fd, String(pid));
+    } finally {
+      closeSync(fd);
+    }
+    return { acquired: true };
+  } catch (err) {
+    if (err?.code !== "EEXIST") throw err;
+  }
+  let existingPid = 0;
+  try {
+    existingPid = parseInt(readFileSync(pidFile, "utf-8").trim(), 10);
+  } catch {
+  }
+  if (!existingPid || Number.isNaN(existingPid) || existingPid <= 0) {
+    try {
+      unlinkSync(pidFile);
+    } catch {
+    }
+    return { acquired: false, staleCleaned: true };
+  }
+  if (isPidAlive(existingPid)) {
+    return { acquired: false, heldBy: existingPid };
+  }
+  try {
+    unlinkSync(pidFile);
+  } catch {
+  }
+  return { acquired: false, staleCleaned: true };
+}
+function acquireSupervisorLockWithRetry(pidFile, pid = process.pid) {
+  let result = acquireSupervisorLock(pidFile, pid);
+  if (!result.acquired && result.staleCleaned) {
+    result = acquireSupervisorLock(pidFile, pid);
+  }
+  return { acquired: result.acquired, heldBy: result.heldBy };
+}
+function releaseSupervisorLock(pidFile, pid = process.pid) {
+  try {
+    if (!existsSync(pidFile)) return;
+    const content = parseInt(readFileSync(pidFile, "utf-8").trim(), 10);
+    if (content === pid) unlinkSync(pidFile);
+  } catch {
+  }
+}
+function isPidAlive(pid) {
+  if (!pid || Number.isNaN(pid) || pid <= 0) return false;
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function findOrphanedSyncPids(currentSupervisorPid = process.pid) {
+  if (process.platform === "win32") return [];
+  const pids = [];
+  try {
+    const output = execFileSync("pgrep", ["-af", "svamp daemon start-sync"], {
+      encoding: "utf-8",
+      timeout: 5e3
+    });
+    for (const line of output.split("\n")) {
+      const trimmed = line.trim();
+      if (!trimmed) continue;
+      const match = trimmed.match(/^(\d+)\s/);
+      if (!match) continue;
+      const pid = parseInt(match[1], 10);
+      if (Number.isNaN(pid) || pid <= 0) continue;
+      if (pid === process.pid) continue;
+      const ppid = getPpid(pid);
+      if (ppid === currentSupervisorPid) continue;
+      pids.push(pid);
+    }
+  } catch (err) {
+    if (err?.status !== 1) ;
+  }
+  return pids;
+}
+function getPpid(pid) {
+  if (process.platform === "win32") return 0;
+  try {
+    const out = execFileSync("ps", ["-o", "ppid=", "-p", String(pid)], {
+      encoding: "utf-8",
+      timeout: 2e3
+    }).trim();
+    const ppid = parseInt(out, 10);
+    return Number.isNaN(ppid) ? 0 : ppid;
+  } catch {
+    return 0;
+  }
+}
+async function killOrphanedSyncs(pids, opts = {}) {
+  if (pids.length === 0) return;
+  const log = opts.log || (() => {
+  });
+  const gracePeriodMs = opts.gracePeriodMs ?? 3e3;
+  log(`Killing ${pids.length} orphan sync daemon(s): ${pids.join(", ")}`);
+  for (const pid of pids) {
+    try {
+      process.kill(pid, "SIGTERM");
+    } catch {
+    }
+  }
+  const pollStep = 100;
+  const steps = Math.max(1, Math.ceil(gracePeriodMs / pollStep));
+  for (let i = 0; i < steps; i++) {
+    await new Promise((r) => setTimeout(r, pollStep));
+    if (pids.every((p) => !isPidAlive(p))) {
+      log("All orphan daemons exited cleanly");
+      return;
+    }
+  }
+  const survivors = pids.filter(isPidAlive);
+  if (survivors.length > 0) {
+    log(`Force-killing survivors: ${survivors.join(", ")}`);
+    for (const pid of survivors) {
+      try {
+        process.kill(pid, "SIGKILL");
+      } catch {
+      }
+    }
+  }
+}
+function watchParentLiveness(opts) {
+  if (process.env.SVAMP_SUPERVISED !== "1") {
+    return () => {
+    };
+  }
+  const supervisorPid = process.ppid;
+  if (!supervisorPid || supervisorPid === 1) {
+    return () => {
+    };
+  }
+  const intervalMs = opts.intervalMs ?? 5e3;
+  let fired = false;
+  const timer = setInterval(() => {
+    if (fired) return;
+    if (!isPidAlive(supervisorPid)) {
+      fired = true;
+      clearInterval(timer);
+      opts.onParentDeath();
+    }
+  }, intervalMs);
+  timer.unref?.();
+  return () => {
+    clearInterval(timer);
+  };
+}
+
+export { acquireSupervisorLock, acquireSupervisorLockWithRetry, findOrphanedSyncPids, getPpid, isPidAlive, killOrphanedSyncs, releaseSupervisorLock, watchParentLiveness };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svamp-cli",
-  "version": "0.2.36",
+  "version": "0.2.38",
   "description": "Svamp CLI — AI workspace daemon on Hypha Cloud",
   "author": "Amun AI AB",
   "license": "SEE LICENSE IN LICENSE",
@@ -20,7 +20,7 @@
   "scripts": {
     "build": "rm -rf dist && tsc --noEmit && pkgroll",
     "typecheck": "tsc --noEmit",
-    "test": "npx tsx test/test-authorize.mjs && npx tsx test/test-session-helpers.mjs && npx tsx test/test-cli-routing.mjs && npx tsx test/test-security-context.mjs && npx tsx test/test-ralph-loop.mjs && npx tsx test/test-message-helpers.mjs && npx tsx test/test-agent-config.mjs && npx tsx test/test-wrap-command.mjs && npx tsx test/test-credential-staging.mjs && npx tsx test/test-output-formatters.mjs && npx tsx test/test-agent-types.mjs && npx tsx test/test-transport.mjs && npx tsx test/test-session-update-handlers.mjs && npx tsx test/test-session-scanner.mjs && npx tsx test/test-hypha-client.mjs && npx tsx test/test-hook-settings.mjs && npx tsx test/test-session-service-logic.mjs && npx tsx test/test-daemon-persistence.mjs && npx tsx test/test-detect-isolation.mjs && npx tsx test/test-machine-service-logic.mjs && npx tsx test/test-interactive-helpers.mjs && npx tsx test/test-codex-backend.mjs && npx tsx test/test-acp-backend.mjs && npx tsx test/test-acp-bridge.mjs && npx tsx test/test-hook-server.mjs && npx tsx test/test-session-commands.mjs && npx tsx test/test-interactive-console.mjs && npx tsx test/test-session-messages.mjs && npx tsx test/test-skills.mjs && npx tsx test/test-agent-grouping.mjs && npx tsx test/test-ralph-loop-integration.mjs && npx tsx test/test-ralph-loop-modes.mjs && npx tsx test/test-machine-list-directory.mjs && npx tsx test/test-service-commands.mjs && npx tsx test/test-supervisor.mjs && npx tsx test/test-clear-detection.mjs && npx tsx test/test-session-consolidation.mjs && npx tsx test/test-inbox.mjs && npx tsx test/test-session-rpc-dispatch.mjs && npx tsx test/test-sandbox-cli.mjs && npx tsx test/test-serve-manager.mjs && npx tsx test/test-serve-stability.mjs && npx tsx test/test-frpc-e2e.mjs --unit-only",
+    "test": "npx tsx test/test-authorize.mjs && npx tsx test/test-session-helpers.mjs && npx tsx test/test-cli-routing.mjs && npx tsx test/test-security-context.mjs && npx tsx test/test-isolation-decision.mjs && npx tsx test/test-ralph-loop.mjs && npx tsx test/test-message-helpers.mjs && npx tsx test/test-agent-config.mjs && npx tsx test/test-wrap-command.mjs && npx tsx test/test-credential-staging.mjs && npx tsx test/test-output-formatters.mjs && npx tsx test/test-agent-types.mjs && npx tsx test/test-transport.mjs && npx tsx test/test-session-update-handlers.mjs && npx tsx test/test-session-scanner.mjs && npx tsx test/test-hypha-client.mjs && npx tsx test/test-hook-settings.mjs && npx tsx test/test-session-service-logic.mjs && npx tsx test/test-daemon-persistence.mjs && npx tsx test/test-detect-isolation.mjs && npx tsx test/test-machine-service-logic.mjs && npx tsx test/test-interactive-helpers.mjs && npx tsx test/test-codex-backend.mjs && npx tsx test/test-acp-backend.mjs && npx tsx test/test-acp-bridge.mjs && npx tsx test/test-hook-server.mjs && npx tsx test/test-session-commands.mjs && npx tsx test/test-interactive-console.mjs && npx tsx test/test-session-messages.mjs && npx tsx test/test-skills.mjs && npx tsx test/test-agent-grouping.mjs && npx tsx test/test-ralph-loop-integration.mjs && npx tsx test/test-ralph-loop-modes.mjs && npx tsx test/test-machine-list-directory.mjs && npx tsx test/test-service-commands.mjs && npx tsx test/test-supervisor.mjs && npx tsx test/test-supervisor-lock.mjs && npx tsx test/test-clear-detection.mjs && npx tsx test/test-session-consolidation.mjs && npx tsx test/test-inbox.mjs && npx tsx test/test-session-rpc-dispatch.mjs && npx tsx test/test-sandbox-cli.mjs && npx tsx test/test-serve-manager.mjs && npx tsx test/test-serve-stability.mjs && npx tsx test/test-frpc-e2e.mjs --unit-only",
     "test:hypha": "node --no-warnings test/test-hypha-service.mjs",
     "dev": "tsx src/cli.ts",
     "dev:daemon": "tsx src/cli.ts daemon start-sync",

package/dist/package-DDUrcHYU.mjs

@@ -1,63 +0,0 @@
-var name = "svamp-cli";
-var version = "0.2.36";
-var description = "Svamp CLI — AI workspace daemon on Hypha Cloud";
-var author = "Amun AI AB";
-var license = "SEE LICENSE IN LICENSE";
-var type = "module";
-var bin = {
-	svamp: "./bin/svamp.mjs"
-};
-var files = [
-	"dist",
-	"bin"
-];
-var main = "./dist/index.mjs";
-var exports$1 = {
-	".": "./dist/index.mjs",
-	"./cli": "./dist/cli.mjs"
-};
-var scripts = {
-	build: "rm -rf dist && tsc --noEmit && pkgroll",
-	typecheck: "tsc --noEmit",
-	test: "npx tsx test/test-authorize.mjs && npx tsx test/test-session-helpers.mjs && npx tsx test/test-cli-routing.mjs && npx tsx test/test-security-context.mjs && npx tsx test/test-ralph-loop.mjs && npx tsx test/test-message-helpers.mjs && npx tsx test/test-agent-config.mjs && npx tsx test/test-wrap-command.mjs && npx tsx test/test-credential-staging.mjs && npx tsx test/test-output-formatters.mjs && npx tsx test/test-agent-types.mjs && npx tsx test/test-transport.mjs && npx tsx test/test-session-update-handlers.mjs && npx tsx test/test-session-scanner.mjs && npx tsx test/test-hypha-client.mjs && npx tsx test/test-hook-settings.mjs && npx tsx test/test-session-service-logic.mjs && npx tsx test/test-daemon-persistence.mjs && npx tsx test/test-detect-isolation.mjs && npx tsx test/test-machine-service-logic.mjs && npx tsx test/test-interactive-helpers.mjs && npx tsx test/test-codex-backend.mjs && npx tsx test/test-acp-backend.mjs && npx tsx test/test-acp-bridge.mjs && npx tsx test/test-hook-server.mjs && npx tsx test/test-session-commands.mjs && npx tsx test/test-interactive-console.mjs && npx tsx test/test-session-messages.mjs && npx tsx test/test-skills.mjs && npx tsx test/test-agent-grouping.mjs && npx tsx test/test-ralph-loop-integration.mjs && npx tsx test/test-ralph-loop-modes.mjs && npx tsx test/test-machine-list-directory.mjs && npx tsx test/test-service-commands.mjs && npx tsx test/test-supervisor.mjs && npx tsx test/test-clear-detection.mjs && npx tsx test/test-session-consolidation.mjs && npx tsx test/test-inbox.mjs && npx tsx test/test-session-rpc-dispatch.mjs && npx tsx test/test-sandbox-cli.mjs && npx tsx test/test-serve-manager.mjs && npx tsx test/test-serve-stability.mjs && npx tsx test/test-frpc-e2e.mjs --unit-only",
-	"test:hypha": "node --no-warnings test/test-hypha-service.mjs",
-	dev: "tsx src/cli.ts",
-	"dev:daemon": "tsx src/cli.ts daemon start-sync",
-	"test:e2e": "node --no-warnings test/e2e-session-tests.mjs",
-	"test:frpc": "npx tsx test/test-frpc-e2e.mjs"
-};
-var dependencies = {
-	"@agentclientprotocol/sdk": "^0.14.1",
-	"@modelcontextprotocol/sdk": "^1.25.3",
-	"hypha-rpc": "0.21.36",
-	"node-pty": "1.2.0-beta.11",
-	ws: "^8.18.0",
-	yaml: "^2.8.2",
-	zod: "^3.24.4"
-};
-var devDependencies = {
-	"@types/node": ">=20",
-	"@types/ws": "^8.5.14",
-	pkgroll: "^2.14.2",
-	tsx: "^4.20.6",
-	typescript: "5.9.3"
-};
-var packageManager = "yarn@1.22.22";
-var _package = {
-	name: name,
-	version: version,
-	description: description,
-	author: author,
-	license: license,
-	type: type,
-	bin: bin,
-	files: files,
-	main: main,
-	exports: exports$1,
-	scripts: scripts,
-	dependencies: dependencies,
-	devDependencies: devDependencies,
-	packageManager: packageManager
-};
-
-export { author, bin, _package as default, dependencies, description, devDependencies, exports$1 as exports, files, license, main, name, packageManager, scripts, type, version };