typeclaw 0.23.0 → 0.25.0

package/src/git/reconcile-ignored.ts

@@ -0,0 +1,214 @@
+import { existsSync } from 'node:fs'
+import { mkdtemp, rm, writeFile } from 'node:fs/promises'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+
+import { SYSTEM_MANAGED_ROOTS, TRULY_IGNORED_PATTERNS } from '@/init/gitignore'
+
+export type UntrackResult = { untracked: string[] }
+
+// Removes from the index any tracked file that now matches a truly-ignored
+// rule. .gitignore only affects UNtracked files, so a file committed before its
+// ignore rule existed (e.g. public/review.json after `public/` was added to the
+// template) keeps getting tracked forever; this reconciles that on every start.
+// Files are removed with --cached, so they stay on disk.
+//
+// Best-effort, like commitSystemFile: no-ops when the folder is not a git repo,
+// Bun is missing, the repo has no matching tracked files, or any git step fails.
+// Never throws — start() hygiene must not block boot. The removals are staged
+// but NOT committed here; the caller folds them into the .gitignore commit so
+// the rule change and its index cleanup land atomically.
+export async function untrackTrulyIgnoredFiles(
+  cwd: string,
+  customAppend: readonly string[] = [],
+): Promise<UntrackResult> {
+  const empty: UntrackResult = { untracked: [] }
+
+  const bun = getBun()
+  if (!bun) return empty
+  if (!existsSync(join(cwd, '.git'))) return empty
+
+  const patterns = [...TRULY_IGNORED_PATTERNS, ...customAppend]
+  let excludeDir: string | null = null
+  try {
+    excludeDir = await mkdtemp(join(tmpdir(), 'typeclaw-untrack-'))
+    const excludeFile = join(excludeDir, 'exclude')
+    await writeFile(excludeFile, `${patterns.join('\n')}\n`)
+
+    const candidates = await listTrackedIgnored(bun, cwd, excludeFile)
+    const removable = candidates.filter((path) => !isSystemManaged(path))
+    if (removable.length === 0) return empty
+
+    const removed = await gitRmCached(bun, cwd, removable)
+    return { untracked: removed }
+  } catch {
+    return empty
+  } finally {
+    if (excludeDir) await rm(excludeDir, { recursive: true, force: true }).catch(() => {})
+  }
+}
+
+// Commits exactly { .gitignore + the untrack removals } in one commit, leaving
+// any UNRELATED user-staged work out of the commit but still staged.
+//
+// Why plumbing instead of `git commit -- <paths>`: a pathspec/--only commit
+// re-snapshots the listed paths from the WORKING TREE, so a `git rm --cached`
+// removal of a file that still exists on disk gets silently re-added. A plain
+// `git commit` gets the removal right but sweeps in unrelated staged work. So
+// we build the exact tree in a throwaway index seeded from HEAD, commit-tree
+// it, and compare-and-swap HEAD via update-ref (race-safe against concurrent
+// HEAD moves). This bypasses commit hooks, which is fine for a system commit.
+//
+// Caller contract: the REAL index already has .gitignore staged and the
+// untracked paths removed (via git rm --cached). update-ref then makes the
+// real index match the new HEAD, so those paths read clean afterward.
+//
+// If the plumbing path can't run (no HEAD, update-ref CAS race, transient git
+// failure) we fall back to a plain `git commit` of the real index — but ONLY
+// when the staged set is exactly { .gitignore + the removals }. This guarantees
+// start()'s hygiene rewrite never gets stranded staged-but-uncommitted (leaving
+// the repo dirty), while the staged-set check still protects any pre-existing
+// user-staged work from being swept into the fallback commit.
+export type CommitGitignoreDeps = {
+  // Seam so tests can force the plumbing path to fail and exercise the fallback;
+  // a real update-ref CAS race or transient git failure is otherwise hard to
+  // reproduce deterministically. Defaults to the real temp-index commit.
+  commitAtomic?: (
+    bun: BunLike,
+    cwd: string,
+    gitignoreFile: string,
+    untracked: readonly string[],
+    message: string,
+  ) => Promise<boolean>
+}
+
+export async function commitGitignoreWithUntracks(
+  cwd: string,
+  gitignoreFile: string,
+  untracked: readonly string[],
+  message: string,
+  deps: CommitGitignoreDeps = {},
+): Promise<boolean> {
+  const bun = getBun()
+  if (!bun) return false
+  if (!existsSync(join(cwd, '.git'))) return false
+  if (untracked.length === 0) return false
+
+  const commitAtomic = deps.commitAtomic ?? commitViaTempIndex
+  if (!(await run(bun, cwd, ['add', '--', gitignoreFile]))) return false
+  if (await commitAtomic(bun, cwd, gitignoreFile, untracked, message)) return true
+  return await commitRealIndexIfExactlyOurs(bun, cwd, gitignoreFile, untracked, message)
+}
+
+async function commitViaTempIndex(
+  bun: BunLike,
+  cwd: string,
+  gitignoreFile: string,
+  untracked: readonly string[],
+  message: string,
+): Promise<boolean> {
+  let indexDir: string | null = null
+  try {
+    const parent = (await capture(bun, cwd, ['rev-parse', '--verify', 'HEAD'])).trim()
+    if (parent.length === 0) return false
+
+    indexDir = await mkdtemp(join(tmpdir(), 'typeclaw-untrack-idx-'))
+    const env = { ...process.env, GIT_INDEX_FILE: join(indexDir, 'index') }
+    if (!(await run(bun, cwd, ['read-tree', parent], env))) return false
+    if (!(await run(bun, cwd, ['add', '--', gitignoreFile], env))) return false
+    if (!(await forceRemove(bun, cwd, untracked, env))) return false
+
+    const tree = (await capture(bun, cwd, ['write-tree'], env)).trim()
+    if (tree.length === 0) return false
+    const commit = (await capture(bun, cwd, ['commit-tree', tree, '-p', parent, '-m', message])).trim()
+    if (commit.length === 0) return false
+
+    return await run(bun, cwd, ['update-ref', '-m', message, 'HEAD', commit, parent])
+  } catch {
+    return false
+  } finally {
+    if (indexDir) await rm(indexDir, { recursive: true, force: true }).catch(() => {})
+  }
+}
+
+async function commitRealIndexIfExactlyOurs(
+  bun: BunLike,
+  cwd: string,
+  gitignoreFile: string,
+  untracked: readonly string[],
+  message: string,
+): Promise<boolean> {
+  const staged = (await capture(bun, cwd, ['diff', '--cached', '--name-only', '-z']))
+    .split('\0')
+    .filter((entry) => entry.length > 0)
+  if (staged.length === 0) return false
+
+  const expected = new Set([gitignoreFile, ...untracked])
+  if (staged.length !== expected.size || !staged.every((path) => expected.has(path))) return false
+
+  return await run(bun, cwd, ['commit', '-m', message])
+}
+
+// Hardcoded fail-closed guard: even if a custom git.ignore.append pattern
+// matches a system-managed root, never untrack it. The git ls-files match is
+// against the truly-ignored set only, but custom patterns are user-supplied and
+// could be arbitrarily broad (`**`), so re-check here as the last line.
+function isSystemManaged(path: string): boolean {
+  return SYSTEM_MANAGED_ROOTS.some((root) => path === root.replace(/\/$/, '') || path.startsWith(root))
+}
+
+async function listTrackedIgnored(bun: BunLike, cwd: string, excludeFile: string): Promise<string[]> {
+  const proc = bun.spawn({
+    cmd: ['git', 'ls-files', '-z', '-c', '-i', '--exclude-from', excludeFile],
+    cwd,
+    stdout: 'pipe',
+    stderr: 'pipe',
+  })
+  if ((await proc.exited) !== 0) return []
+  const raw = await new Response(proc.stdout).text()
+  return raw.split('\0').filter((entry) => entry.length > 0)
+}
+
+async function gitRmCached(bun: BunLike, cwd: string, files: string[]): Promise<string[]> {
+  const proc = bun.spawn({
+    cmd: ['git', 'rm', '--cached', '-q', '--', ...files],
+    cwd,
+    stdout: 'pipe',
+    stderr: 'pipe',
+  })
+  if ((await proc.exited) !== 0) return []
+  return files
+}
+
+type GitEnv = Record<string, string | undefined>
+
+async function run(bun: BunLike, cwd: string, args: string[], env?: GitEnv): Promise<boolean> {
+  const proc = bun.spawn({ cmd: ['git', ...args], cwd, env, stdout: 'pipe', stderr: 'pipe' })
+  return (await proc.exited) === 0
+}
+
+async function capture(bun: BunLike, cwd: string, args: string[], env?: GitEnv): Promise<string> {
+  const proc = bun.spawn({ cmd: ['git', ...args], cwd, env, stdout: 'pipe', stderr: 'pipe' })
+  if ((await proc.exited) !== 0) return ''
+  return await new Response(proc.stdout).text()
+}
+
+// --force-remove drops the index entry regardless of the file existing on disk;
+// the NUL-delimited stdin form is safe for paths with spaces/newlines.
+async function forceRemove(bun: BunLike, cwd: string, files: readonly string[], env: GitEnv): Promise<boolean> {
+  const proc = bun.spawn({
+    cmd: ['git', 'update-index', '-z', '--force-remove', '--stdin'],
+    cwd,
+    env,
+    stdin: new TextEncoder().encode(files.join('\0')),
+    stdout: 'pipe',
+    stderr: 'pipe',
+  })
+  return (await proc.exited) === 0
+}
+
+type BunLike = { spawn: typeof Bun.spawn }
+
+function getBun(): BunLike | undefined {
+  return (globalThis as { Bun?: BunLike }).Bun
+}

package/src/hostd/daemon.ts

@@ -70,7 +70,7 @@ export type RestartPreflight = (input: {
 
 export type PortbrokerCallbacks = {
   start: (input: PortbrokerStartInput) => Promise<void>
-  stop: (containerName: string, reason: 'deregistered' | 'broker-stopped') => Promise<void>
+  stop: (containerName: string, reason: 'deregistered' | 'broker-stopped' | 'fatal-auth') => Promise<void>
   // Returns ports the broker is currently exposing on the host for this
   // container. Empty array when the container is unregistered, when the broker
   // is disabled (`portForward.allow: []`), or when nothing inside the
@@ -87,6 +87,7 @@ export type PortbrokerStartInput = {
   brokerToken: string
   onEvent: (event: PortForwardEvent) => void
   onTailscaleServeEvent: (event: TailscaleServeEvent) => void
+  onFatalAuthFailure?: (info: { brokerToken: string; reason: string }) => void
 }
 
 export type DaemonLogEvent =
@@ -227,6 +228,7 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
   const version = opts.version ?? UNVERSIONED_SENTINEL
   const cwds = new Map<string, string>()
   const restartTokens = new Map<string, string>()
+  const brokerTokens = new Map<string, string>()
   const perContainerSerial = new Map<string, Promise<unknown>>()
   const gcMisses = new Map<string, number>()
   let stopped = false
@@ -285,6 +287,24 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
     } catch {}
   }
 
+  // A broker reports fatal auth when its token no longer matches the running
+  // container (typically a stale T_old broker revived on hostd boot racing a
+  // container that now expects T_new). The token guard is load-bearing: a fresh
+  // register may have overwritten brokerTokens with T_new before this late
+  // callback fires, in which case we must NOT delete the live registration.
+  const handleFatalAuthFailure = (containerName: string, failedToken: string, reason: string): Promise<void> =>
+    runSerially(containerName, async () => {
+      if (brokerTokens.get(containerName) !== failedToken) return
+      brokerTokens.delete(containerName)
+      cwds.delete(containerName)
+      restartTokens.delete(containerName)
+      gcMisses.delete(containerName)
+      if (opts.portbroker) await opts.portbroker.stop(containerName, 'fatal-auth').catch(() => {})
+      if (opts.kakaoRenewal) await opts.kakaoRenewal.stop(containerName).catch(() => {})
+      await removeRegistrationFile(containerName)
+      log({ kind: 'registration-skipped', containerName, reason: `fatal broker auth: ${reason}` })
+    })
+
   const applyRegistration = async (payload: RegisterPayload): Promise<void> => {
     const alreadyRegistered = cwds.has(payload.containerName)
     cwds.set(payload.containerName, payload.cwd)
@@ -299,6 +319,7 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
       payload.portForward !== undefined &&
       payload.brokerToken !== undefined
     ) {
+      brokerTokens.set(payload.containerName, payload.brokerToken)
       await opts.portbroker.start({
         containerName: payload.containerName,
         cwd: payload.cwd,
@@ -307,6 +328,9 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
         brokerToken: payload.brokerToken,
         onEvent: (event) => log({ kind: 'port-forward-event', event }),
         onTailscaleServeEvent: (event) => log({ kind: 'tailscale-serve-event', event }),
+        onFatalAuthFailure: ({ brokerToken, reason }) => {
+          void handleFatalAuthFailure(payload.containerName, brokerToken, reason)
+        },
       })
     }
     if (opts.kakaoRenewal) {
@@ -335,6 +359,7 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
     runSerially(req.containerName, async () => {
       const hadCwd = cwds.delete(req.containerName)
       restartTokens.delete(req.containerName)
+      brokerTokens.delete(req.containerName)
       gcMisses.delete(req.containerName)
       if (opts.portbroker) await opts.portbroker.stop(req.containerName, 'deregistered').catch(() => {})
       if (opts.kakaoRenewal) await opts.kakaoRenewal.stop(req.containerName).catch(() => {})

package/src/hostd/portbroker-manager.ts

@@ -70,6 +70,13 @@ export function createPortbrokerManager(opts: PortbrokerManagerOptions = {}): Po
           if (event.kind === 'port-forward-opened') tailscale.servePort(event.port)
           else if (event.kind === 'port-forward-closed') tailscale.stopPort(event.port)
         },
+        onFatalAuthFailure: (reason) => {
+          // The broker has already stopped itself. Drop it from the map so a
+          // later stop()/start() doesn't double-stop or race the dead instance,
+          // then let hostd GC the stale registration (token-guarded).
+          if (brokers.get(input.containerName) === broker) brokers.delete(input.containerName)
+          input.onFatalAuthFailure?.({ brokerToken: input.brokerToken, reason })
+        },
         onLog: (msg) => log(`[portbroker:${input.containerName}] ${msg}`),
       })
       brokers.set(input.containerName, broker)

package/src/init/dockerfile.ts

@@ -1336,7 +1336,7 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean \\
  && mkdir -p -m 755 /etc/apt/keyrings`
 
 // Layer 2.5: install pinned curl-impersonate (lexiforest fork) for the
-// websearch tool's DDG scraper. Required to evade DDG's TLS/HTTP2
+// web_search tool's DDG scraper. Required to evade DDG's TLS/HTTP2
 // fingerprinting on residential IPs — see src/agent/tools/ddg.ts for the
 // full rationale. Placed after Layer 2 so curl + ca-certificates + tar
 // (already in baseline) are present, and before agent-browser so a version

package/src/init/gitignore.ts

@@ -2,6 +2,29 @@ import type { GitignoreConfig } from '@/config/config'
 
 export const GITIGNORE_FILE = '.gitignore'
 
+// Match scope for the untrack reconciler (src/git/reconcile-ignored.ts): when a
+// tracked file later matches one of these, start() removes it from the index.
+export const TRULY_IGNORED_PATTERNS = [
+  '.env',
+  '.env.local',
+  'secrets.json',
+  'auth.json',
+  '.typeclaw/home/',
+  'node_modules/',
+  'packages/*/node_modules/',
+  'workspace/',
+  'public/',
+  'mounts/',
+  'Dockerfile',
+  '.DS_Store',
+] as const
+
+// Gitignored but force-committed by TypeClaw (auto-backup, dreaming, channels).
+// The reconciler MUST fail-closed and never untrack these, even if a custom
+// git.ignore.append pattern (e.g. `**`) matches them — doing so would drop
+// runtime-owned state out of git.
+export const SYSTEM_MANAGED_ROOTS = ['sessions/', 'memory/', 'channels/', 'todo/'] as const
+
 export function buildGitignore(config: GitignoreConfig = { append: [] }): string {
   const customEntries = renderCustomGitignoreEntries(config.append)
 
@@ -24,24 +47,13 @@ export function buildGitignore(config: GitignoreConfig = { append: [] }): string
 # $HOME (e.g. ~/.codex/auth.json) into the bind-mounted agent folder so
 # tool credentials survive container restarts. Always credentials; never
 # commit.
-.env
-.env.local
-secrets.json
-auth.json
-.typeclaw/home/
-node_modules/
-packages/*/node_modules/
-workspace/
-mounts/
-Dockerfile
-.DS_Store
+${TRULY_IGNORED_PATTERNS.join('\n')}
 
 # System-managed: gitignored by default so the agent never stages them by hand,
-# but TypeClaw force-commits them on its own schedule (sessions/ via auto-backup,
-# memory/ via the dreaming subagent). Treat them as runtime-owned, not agent-owned.
-sessions/
-memory/
-channels/
+# but TypeClaw force-commits them on its own schedule (sessions/ + todo/ via
+# auto-backup, memory/ via the dreaming subagent). Treat them as runtime-owned,
+# not agent-owned.
+${SYSTEM_MANAGED_ROOTS.join('\n')}
 `
 }
 

package/src/inspect/index.ts

@@ -34,6 +34,7 @@ export type RunInspectOptions = {
   // caller's loop inspects its own scope intent to tell back from exit.
   signal?: AbortSignal
   liveHint?: string
+  interactive?: boolean
 }
 
 export type SelectSessionOptions = {
@@ -53,7 +54,20 @@ export type RunInspectResult =
   | { ok: true; exitCode: 0; escToPicker?: boolean }
   | { ok: false; exitCode: number; reason: string }
 
-export async function runInspect(opts: RunInspectOptions): Promise<RunInspectResult> {
+export type InspectTarget = {
+  summary: SessionSummary
+  filter: InspectFilter
+  sinceMs: number | undefined
+}
+
+export type ResolveInspectResult = { ok: true; target: InspectTarget } | { ok: false; exitCode: number; reason: string }
+
+// Picker phase, split out from the streaming phase so the tail scope is created
+// AFTER the picker, never before. A raw-mode 'data' listener active during the
+// Clack picker (which forces cooked mode via prepareStdinForClack) fights Clack
+// for stdin and leaves the later stream in cooked mode — that was the recurring
+// "esc does nothing" regression.
+export async function resolveInspectTarget(opts: Omit<RunInspectOptions, 'signal'>): Promise<ResolveInspectResult> {
   const filterResult = parseFilter(opts.filter)
   if (!filterResult.ok) return { ok: false, exitCode: 2, reason: filterResult.reason }
   const filter = filterResult.filter
@@ -70,10 +84,24 @@ export async function runInspect(opts: RunInspectOptions): Promise<RunInspectRes
   const summary = await chooseSession(opts, sessionsDir, sinceMs)
   if (!summary.ok) return summary
 
+  return { ok: true, target: { summary: summary.summary, filter, sinceMs } }
+}
+
+export async function runInspect(opts: RunInspectOptions): Promise<RunInspectResult> {
+  const resolved = await resolveInspectTarget(opts)
+  if (!resolved.ok) return resolved
+  return streamInspectTarget({ ...opts, target: resolved.target })
+}
+
+export async function streamInspectTarget(
+  opts: Omit<RunInspectOptions, 'sessionIdOrPrefix' | 'filter' | 'since' | 'selectSession'> & {
+    target: InspectTarget
+  },
+): Promise<RunInspectResult> {
   const streamResult = await streamSession({
-    summary: summary.summary,
-    filter,
-    sinceMs,
+    summary: opts.target.summary,
+    filter: opts.target.filter,
+    sinceMs: opts.target.sinceMs,
     json: opts.json === true,
     color: opts.color,
     stdout: opts.stdout,
@@ -81,6 +109,7 @@ export async function runInspect(opts: RunInspectOptions): Promise<RunInspectRes
     ...(opts.liveSource !== undefined ? { liveSource: opts.liveSource } : {}),
     ...(opts.signal !== undefined ? { signal: opts.signal } : {}),
     ...(opts.liveHint !== undefined ? { liveHint: opts.liveHint } : {}),
+    ...(opts.interactive === true ? { interactive: true } : {}),
   })
   if (streamResult.escToPicker) return { ok: true, exitCode: 0, escToPicker: true }
   return { ok: true, exitCode: 0 }
@@ -146,6 +175,7 @@ async function streamSession(opts: {
   liveSource?: LiveSourceFactory
   signal?: AbortSignal
   liveHint?: string
+  interactive?: boolean
 }): Promise<{ escToPicker: boolean }> {
   if (!opts.json) writeHeader(opts.summary, opts.color, opts.stdout)
   const emit = (event: InspectEvent): void => {
@@ -167,6 +197,18 @@ async function streamSession(opts: {
 
   if (opts.liveSource === undefined) {
     if (!opts.json) opts.stdout('─── end of transcript ───')
+    // Already aborted during replay (user pressed esc/q): honor it, don't lose the keystroke.
+    if (aborted()) return { escToPicker: true }
+    // Interactive replay-only: hold a stable viewer like `dreams` instead of
+    // bouncing straight back to the picker. Block until the tail scope aborts
+    // (esc → back, q/ctrl-c → exit). Never block without a signal (non-TTY has
+    // no listener and would hang) or in json/non-interactive mode (scriptability).
+    if (opts.interactive === true && !opts.json && opts.signal !== undefined) {
+      if (opts.liveHint !== undefined && opts.liveHint !== '') {
+        opts.stdout(divider(opts.color, opts.liveHint))
+      }
+      await waitForAbort(opts.signal)
+    }
     return { escToPicker: aborted() }
   }
 
@@ -208,6 +250,13 @@ function divider(color: boolean, text: string): string {
   return text
 }
 
+export async function waitForAbort(signal: AbortSignal): Promise<void> {
+  if (signal.aborted) return
+  await new Promise<void>((resolve) => {
+    signal.addEventListener('abort', () => resolve(), { once: true })
+  })
+}
+
 function writeHeader(summary: SessionSummary, color: boolean, stdout: (line: string) => void): void {
   const id = shortSessionId(summary.sessionId)
   const label = summary.origin === null ? '(unknown origin)' : originLabel(summary.origin)

package/src/inspect/loop.ts

@@ -1,4 +1,4 @@
-import { runInspect, type RunInspectOptions, type RunInspectResult } from './index'
+import { resolveInspectTarget, type RunInspectOptions, type RunInspectResult, streamInspectTarget } from './index'
 
 export type TailController = {
   signal: AbortSignal
@@ -8,9 +8,10 @@ export type TailController = {
 
 export type RunInspectLoopOptions = Omit<RunInspectOptions, 'signal'> & {
   // Builds a fresh interaction scope for ONE live-tail attempt: a new
-  // AbortController plus a temporary raw-mode listener. The loop disposes it
-  // before the picker re-opens so clack always owns a clean, non-raw stdin —
-  // this is what replaces the old pause/resume-same-controller model.
+  // AbortController plus a temporary raw-mode listener. The loop creates it
+  // only AFTER the picker has resolved a session and disposes it before the
+  // picker re-opens, so clack always owns a clean, non-raw stdin — this is what
+  // replaces the old pause/resume-same-controller model.
   createTailScope: () => TailController
 }
 
@@ -25,17 +26,20 @@ export async function runInspectLoop(opts: RunInspectLoopOptions): Promise<RunIn
   }
 
   while (true) {
+    const resolveOpts: Omit<RunInspectOptions, 'signal'> = { ...opts, selectSession: wrappedSelectSession }
+    if (sessionArg !== undefined) resolveOpts.sessionIdOrPrefix = sessionArg
+    else delete (resolveOpts as { sessionIdOrPrefix?: string }).sessionIdOrPrefix
+
+    // Picker phase: cooked-mode stdin, no tail scope alive.
+    const resolved = await resolveInspectTarget(resolveOpts)
+    if (!resolved.ok) return resolved
+
+    // Streaming phase: scope owns raw-mode stdin start-to-dispose, never
+    // spanning the picker above or the next iteration's picker below.
     const scope = opts.createTailScope()
     let result: RunInspectResult
     try {
-      const callOpts: RunInspectOptions = {
-        ...opts,
-        selectSession: wrappedSelectSession,
-        signal: scope.signal,
-      }
-      if (sessionArg !== undefined) callOpts.sessionIdOrPrefix = sessionArg
-      else delete (callOpts as { sessionIdOrPrefix?: string }).sessionIdOrPrefix
-      result = await runInspect(callOpts)
+      result = await streamInspectTarget({ ...opts, target: resolved.target, signal: scope.signal })
     } finally {
       scope.dispose()
     }

package/src/plugin/define.ts

@@ -78,5 +78,5 @@ export const writeTool: BuiltinToolRef = { __builtinTool: 'write' }
 export const grepTool: BuiltinToolRef = { __builtinTool: 'grep' }
 export const findTool: BuiltinToolRef = { __builtinTool: 'find' }
 export const lsTool: BuiltinToolRef = { __builtinTool: 'ls' }
-export const websearchTool: BuiltinToolRef = { __builtinTool: 'websearch' }
-export const webfetchTool: BuiltinToolRef = { __builtinTool: 'webfetch' }
+export const webSearchTool: BuiltinToolRef = { __builtinTool: 'web_search' }
+export const webFetchTool: BuiltinToolRef = { __builtinTool: 'web_fetch' }

package/src/plugin/index.ts

@@ -9,8 +9,8 @@ export {
   grepTool,
   lsTool,
   readTool,
-  webfetchTool,
-  websearchTool,
+  webFetchTool,
+  webSearchTool,
   writeTool,
 } from './define'
 

package/src/portbroker/hostd-client.ts

@@ -25,6 +25,10 @@ export type BrokerOptions = {
   resolveHostPort: () => Promise<number | null>
   brokerToken: string
   onEvent: (event: PortForwardEvent) => void
+  // A broker's token is immutable for its lifetime, so an auth rejection can
+  // never be repaired by reconnecting. On auth nack the broker stops for good
+  // and reports the reason so hostd can GC the stale registration.
+  onFatalAuthFailure?: (reason: string) => void
   onLog?: (msg: string) => void
   connectWs?: (url: string) => Promise<WsClient>
   listenHost?: ListenHostFn
@@ -68,6 +72,11 @@ export type Broker = {
 const DEFAULT_RECONNECT_DELAYS = [1_000, 2_000, 4_000, 10_000]
 const DEFAULT_HOST_BIND = '127.0.0.1'
 
+// broker-hello-nack reasons emitted by container-server.ts when authentication
+// fails. These are immutable for a broker instance's lifetime, so reconnecting
+// the same broker can only reproduce them — the broker must stop instead.
+const AUTH_NACK_REASONS: ReadonlySet<string> = new Set(['invalid token', 'expected broker-hello first'])
+
 export function createBroker(opts: BrokerOptions): Broker {
   const log = opts.onLog ?? (() => {})
   const reconnectDelays = opts.reconnectDelaysMs ?? DEFAULT_RECONNECT_DELAYS
@@ -211,7 +220,11 @@ export function createBroker(opts: BrokerOptions): Broker {
         return
       case 'broker-hello-nack':
         log(`broker-hello rejected: ${msg.reason}`)
-        if (ws) ws.close()
+        if (AUTH_NACK_REASONS.has(msg.reason)) {
+          fatalStop(msg.reason)
+        } else if (ws) {
+          ws.close()
+        }
         return
       case 'port-listen-snapshot':
         for (const { port, bindAddr } of msg.ports) {
@@ -307,6 +320,27 @@ export function createBroker(opts: BrokerOptions): Broker {
     }, delay)
   }
 
+  const teardown = (): void => {
+    stopped = true
+    if (reconnectTimer !== null) {
+      clearTimeout(reconnectTimer)
+      reconnectTimer = null
+    }
+    teardownAllForwarders('broker-stopped')
+    if (ws) {
+      try {
+        ws.close()
+      } catch {}
+      ws = null
+    }
+  }
+
+  const fatalStop = (reason: string): void => {
+    if (stopped) return
+    teardown()
+    opts.onFatalAuthFailure?.(reason)
+  }
+
   return {
     start() {
       if (!brokerEnabled(opts.policy)) {
@@ -316,18 +350,7 @@ export function createBroker(opts: BrokerOptions): Broker {
       void connect()
     },
     async stop() {
-      stopped = true
-      if (reconnectTimer !== null) {
-        clearTimeout(reconnectTimer)
-        reconnectTimer = null
-      }
-      teardownAllForwarders('broker-stopped')
-      if (ws) {
-        try {
-          ws.close()
-        } catch {}
-        ws = null
-      }
+      teardown()
     },
     forwardedPorts() {
       return Array.from(forwarders.keys())