thinkpool-pair 0.7.16 → 0.7.18

package/account.mjs

@@ -19,6 +19,46 @@ const VERSION = (() => { try { return JSON.parse(fs.readFileSync(new URL('./pack
 
 const BRIDGE = fileURLToPath(new URL('./bridge.mjs', import.meta.url))
 
+// ── single-instance lock ────────────────────────────────────────────────────
+// Two account supervisors on one machine share ONE ~/.thinkpool-pair/auth.json
+// refresh token and race its rotation — which on 2026-06-17 deleted a live Pro
+// login mid-session. The account supervisor is single-instance by nature; this
+// pidfile lock refuses a second one. Acquired BEFORE auth so two can't both hit
+// the refresh path. Exported for the test harness.
+const LOCK = path.join(os.homedir(), '.thinkpool-pair', 'account.lock')
+
+// True if `pid` is a live process (EPERM = exists but not ours; ESRCH = gone).
+function pidAlive(pid) {
+  if (!pid || pid === process.pid) return false
+  try { process.kill(pid, 0); return true } catch (e) { return e.code === 'EPERM' }
+}
+
+// Returns true if we now hold the lock, false if another LIVE supervisor holds it.
+// A stale lock (holder dead / garbage / ours) is taken over. fs errors fail-OPEN
+// (return true) — a lock we can't manage must never block the real bridge.
+export function acquireSingleton(lockPath = LOCK) {
+  try { fs.mkdirSync(path.dirname(lockPath), { recursive: true }) } catch { /* noop */ }
+  for (let i = 0; i < 3; i++) {
+    try {
+      const fd = fs.openSync(lockPath, 'wx')        // atomic create-exclusive
+      fs.writeSync(fd, String(process.pid)); fs.closeSync(fd)
+      return true
+    } catch (e) {
+      if (e.code !== 'EEXIST') return true           // can't create for another reason → fail open
+      let pid = 0
+      try { pid = parseInt(fs.readFileSync(lockPath, 'utf8').trim(), 10) || 0 } catch { /* unreadable */ }
+      if (pidAlive(pid)) return false                // a live supervisor owns it → refuse
+      try { fs.rmSync(lockPath, { force: true }) } catch { return true }   // stale → drop + retry
+    }
+  }
+  return true
+}
+
+// Release only if WE own it (don't unlink a lock another instance took over).
+export function releaseSingleton(lockPath = LOCK) {
+  try { if ((parseInt(fs.readFileSync(lockPath, 'utf8').trim(), 10) || 0) === process.pid) fs.rmSync(lockPath, { force: true }) } catch { /* noop */ }
+}
+
 // ── login: OAuth-style DEVICE-CODE flow (hardened) ──────────────────────────
 // The bridge asks Postgres (start_device_code) for a secret device_code + a short
 // human user_code, prints the user_code + URL, then POLLS claim_device_code with
@@ -76,8 +116,13 @@ export function runBind(room, dir) {
 
 // ── account supervisor: a headless child bridge per bound room, in its dir ──
 export async function runAccount(SUPABASE_URL, SUPABASE_ANON) {
+  if (!acquireSingleton()) {
+    console.error('\n  ◇ An account bridge is already running on this machine\n    (~/.thinkpool-pair/account.lock). Not starting a second — two would race\n    your saved login. Stop the other one first, or share a single room with\n    `npx thinkpool-pair <ROOM>`.\n')
+    process.exit(0)
+  }
   const auth = await authedClient(SUPABASE_URL, SUPABASE_ANON)
   if (!auth) {
+    releaseSingleton()
     // Do NOT delete auth.json here. A refresh can fail transiently (offline) or
     // lose a refresh-token rotation race with another bridge sharing this login —
     // wiping the file on that destroys a still-valid login. Leave it: only an
@@ -120,7 +165,18 @@ export async function runAccount(SUPABASE_URL, SUPABASE_ANON) {
   const machine = os.hostname().replace(/\.local$/, '')
   const acct = sb.channel(`tpacct:${session.user.id}`, { config: { presence: { key: machine }, broadcast: { self: false } } })
   // Dashboard "Disconnect" → broadcast shutdown → clean exit (presence leaves, bar flips live).
-  acct.on('broadcast', { event: 'shutdown' }, () => { process.stderr.write('\n  ◇ disconnect requested from the dashboard — stopping bridge.\n'); process.kill(process.pid, 'SIGTERM') })
+  // If we're the auto-restarting background service (launchd KeepAlive / systemd
+  // Restart=always sets AUTOUPDATE=1), a bare exit would be respawned ~2s later —
+  // so the toggle would appear to do nothing (presence leaves, then rejoins).
+  // Uninstall the account service FIRST so the supervisor won't restart us, then
+  // stop. Mirrors the per-room session-deleted guard in bridge.mjs.
+  acct.on('broadcast', { event: 'shutdown' }, async () => {
+    process.stderr.write('\n  ◇ disconnect requested from the dashboard — stopping bridge.\n')
+    if (process.env.THINKPOOL_PAIR_AUTOUPDATE === '1') {
+      try { const svc = await import('./service.mjs'); svc.uninstallService(null) } catch { /* noop */ }
+    }
+    process.kill(process.pid, 'SIGTERM')
+  })
   const pushPresence = () => { try { acct.track({ name: machine, version: VERSION, rooms: [...children.keys()], ts: Date.now() }) } catch { /* noop */ } }
   await new Promise((res) => acct.subscribe((st) => { if (st === 'SUBSCRIBED') { pushPresence(); res() } }))
 
@@ -161,6 +217,7 @@ export async function runAccount(SUPABASE_URL, SUPABASE_ANON) {
   const stop = (sig) => {
     if (stopping) return; stopping = true
     clearInterval(iv)
+    releaseSingleton()
     for (const c of children.values()) { try { c.kill(sig || 'SIGTERM') } catch { /* noop */ } }
     // Flush the presence LEAVE before exiting so the dashboard flips to
     // "not connected" in realtime (don't fire-and-forget the untrack).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thinkpool-pair",
-  "version": "0.7.16",
+  "version": "0.7.18",
   "description": "Share a local coding-agent CLI (Claude Code, Codex, Gemini, Aider, …) into a ThinkPool Code room, live.",
   "type": "module",
   "bin": {