typeclaw 0.37.3 → 0.37.5

package/src/doctor/checks.ts

@@ -15,11 +15,12 @@ import {
   resolveHostPort,
   type DockerExec,
 } from '@/container'
-import { isDaemonReachable, send } from '@/hostd'
+import { homeRoot, isDaemonReachable, send } from '@/hostd'
 import { resolveBaseImageVersion } from '@/init/cli-version'
 import { buildDockerfile, DOCKERFILE } from '@/init/dockerfile'
 import { detectMissingDeps } from '@/init/ensure-deps'
 import { buildGitignore, GITIGNORE_FILE } from '@/init/gitignore'
+import { detectWsl, isWindows, isWindowsDriveMount, type WslInfo } from '@/shared'
 
 import { buildChannelChecks } from './channel-checks'
 import type { DoctorCheck } from './types'
@@ -37,8 +38,11 @@ export function buildStaticChecks(opts: { dockerExec?: DockerExec } = {}): Docto
     agentFolderGitRepo(),
     configValid(),
     hostdHomeWritable(),
+    wslDriveMount(),
+    windowsSecretPerms(),
     hostdReachable(),
     hostdRegistration(),
+    windowsBindMount(),
     containerState(dockerExec),
     containerHostPort(),
     ...buildChannelChecks(),
@@ -237,6 +241,142 @@ function hostdHomeWritable(): DoctorCheck {
   }
 }
 
+export type WslDriveMountDeps = {
+  detect: () => WslInfo
+  isWindowsDriveMount: (path: string) => boolean
+  typeclawHome: () => string
+}
+
+// Under WSL, files on a Windows-drive mount (/mnt/c/...) don't enforce Unix
+// permissions, so the 0600 chmod that protects secrets.json and the encryption
+// keys is silently ignored — they become readable by every local user. Warn
+// when either the agent folder or ~/.typeclaw lives on such a mount.
+export function wslDriveMount(deps: Partial<WslDriveMountDeps> = {}): DoctorCheck {
+  const detect = deps.detect ?? detectWsl
+  const onWindowsDrive = deps.isWindowsDriveMount ?? isWindowsDriveMount
+  const typeclawHome = deps.typeclawHome ?? homeRoot
+
+  return {
+    name: 'hostd.wsl-drive-mount',
+    category: 'hostd',
+    description: 'agent state is not on a Windows-drive mount under WSL',
+    async run(ctx) {
+      if (!detect().isWsl) return { status: 'ok', message: 'not running under WSL' }
+
+      const offenders: string[] = []
+      if (ctx.hasAgentFolder && onWindowsDrive(ctx.cwd)) offenders.push(`agent folder: ${ctx.cwd}`)
+      const home = typeclawHome()
+      if (onWindowsDrive(home)) offenders.push(`hostd home: ${home}`)
+
+      if (offenders.length === 0) {
+        return { status: 'ok', message: 'agent state is on the Linux filesystem' }
+      }
+
+      return {
+        status: 'warning',
+        message: 'agent state is on a Windows-drive mount; file permissions are not enforced',
+        details: [
+          ...offenders,
+          'chmod is a no-op on /mnt/<drive> (DrvFs/9p), so secrets.json and encryption keys become world-readable.',
+        ],
+        fix: {
+          description:
+            'Move the agent folder to the WSL Linux filesystem (e.g. ~/my-agent) and, if needed, set TYPECLAW_HOME to a Linux path.',
+        },
+      }
+    },
+  }
+}
+
+export type WindowsSecretPermsDeps = {
+  isWindows: () => boolean
+  typeclawHome: () => string
+}
+
+// On native Windows the 0600/0700 modes typeclaw sets on secrets.json and the
+// encryption keys are no-ops — NTFS uses ACLs, not Unix modes — so their
+// confidentiality rests on the inherited %USERPROFILE% ACLs rather than the
+// hardening typeclaw enforces on POSIX. Surface that as a warning.
+export function windowsSecretPerms(deps: Partial<WindowsSecretPermsDeps> = {}): DoctorCheck {
+  const onWindows = deps.isWindows ?? isWindows
+  const typeclawHome = deps.typeclawHome ?? homeRoot
+
+  return {
+    name: 'hostd.windows-secret-perms',
+    category: 'hostd',
+    description: 'secrets rely on enforced file permissions (native Windows)',
+    async run(ctx) {
+      if (!onWindows()) return { status: 'ok', message: 'not running on native Windows' }
+
+      const details = [`hostd home: ${typeclawHome()}`]
+      if (ctx.hasAgentFolder) details.push(`agent folder: ${ctx.cwd}`)
+      details.push(
+        'NTFS ignores the 0600/0700 chmod typeclaw applies to secrets.json and encryption keys; their confidentiality relies on the inherited %USERPROFILE% ACLs instead.',
+      )
+
+      return {
+        status: 'warning',
+        message: 'native Windows does not enforce the file modes that protect agent secrets',
+        details,
+        fix: {
+          description:
+            'Keep the agent folder and ~/.typeclaw under your user profile, where default ACLs restrict access to your account; avoid a shared or everyone-readable location.',
+        },
+      }
+    },
+  }
+}
+
+export type WindowsBindMountDeps = {
+  isWindows: () => boolean
+}
+
+// Docker Desktop bind-mounts the agent folder into its Linux VM, and a few host
+// locations don't survive that translation: UNC/network paths (\\server\share)
+// aren't shareable, OneDrive-virtualized folders fail on placeholder files, and
+// paths near the legacy MAX_PATH (260) limit break mid-build. Flag them so
+// `typeclaw start` fails loudly here instead of cryptically at mount time.
+export function windowsBindMount(deps: Partial<WindowsBindMountDeps> = {}): DoctorCheck {
+  const onWindows = deps.isWindows ?? isWindows
+
+  return {
+    name: 'container.windows-bind-mount',
+    category: 'container',
+    description: 'agent folder is bind-mountable by Docker Desktop (native Windows)',
+    applies: (ctx) => ctx.hasAgentFolder,
+    async run(ctx) {
+      if (!onWindows()) return { status: 'ok', message: 'not running on native Windows' }
+
+      const issues = detectWindowsBindMountIssues(ctx.cwd)
+      if (issues.length === 0) return { status: 'ok', message: 'agent folder path is bind-mountable' }
+
+      return {
+        status: 'warning',
+        message: 'agent folder may not bind-mount cleanly under Docker Desktop',
+        details: issues,
+        fix: {
+          description:
+            'Use a local, short, non-OneDrive path under your user profile (e.g. C:\\agents\\my-agent), then re-run typeclaw start.',
+        },
+      }
+    },
+  }
+}
+
+export function detectWindowsBindMountIssues(path: string): string[] {
+  const issues: string[] = []
+  if (path.startsWith('\\\\')) {
+    issues.push(`UNC/network path is not shareable with Docker Desktop: ${path}`)
+  }
+  if (path.split(/[\\/]/).some((seg) => /^onedrive(?: -.*)?$/i.test(seg))) {
+    issues.push(`path is under OneDrive, where virtualized files can break bind mounts: ${path}`)
+  }
+  if (path.length > 260) {
+    issues.push(`path length ${path.length} exceeds the legacy Windows MAX_PATH (260) limit`)
+  }
+  return issues
+}
+
 function hostdReachable(): DoctorCheck {
   return {
     name: 'hostd.reachable',
@@ -362,9 +502,12 @@ function loadConfigStrictForTemplate(
   return { dockerfile: cfg.docker.file, gitignore: cfg.git.ignore }
 }
 
+// Normalizes CRLF to LF: the managed templates are emitted with `\n`, but a
+// checkout under Git for Windows (core.autocrlf=true) rewrites them to `\r\n`,
+// which would make the byte-exact template comparison report a false divergence.
 async function safeRead(path: string): Promise<string | null> {
   try {
-    return await readFile(path, 'utf8')
+    return (await readFile(path, 'utf8')).replace(/\r\n/g, '\n')
   } catch {
     return null
   }

package/src/hostd/client.ts

@@ -1,16 +1,21 @@
 import { existsSync } from 'node:fs'
+import { connect, type Socket as NetSocket } from 'node:net'
 
-import type { Socket } from 'bun'
+import { isWindows } from '@/shared'
 
 import { socketPath } from './paths'
 import type { Request, Response } from './protocol'
 
 const DEFAULT_TIMEOUT_MS = 3_000
 
-export async function isDaemonReachable(timeoutMs = DEFAULT_TIMEOUT_MS): Promise<boolean> {
-  if (!existsSync(socketPath())) return false
+export async function isDaemonReachable(
+  timeoutMs = DEFAULT_TIMEOUT_MS,
+  opts: Pick<SendOptions, 'socket'> = {},
+): Promise<boolean> {
+  const path = opts.socket ?? socketPath()
+  if (!isWindows() && !existsSync(path)) return false
   try {
-    const reply = await send({ kind: 'list' }, { timeoutMs })
+    const reply = await send({ kind: 'list' }, { timeoutMs, socket: path })
     return reply.ok
   } catch {
     return false
@@ -58,56 +63,47 @@ export async function send(req: Request, opts: SendOptions = {}): Promise<Respon
   const path = opts.socket ?? socketPath()
   const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS
 
-  type State = { buf: string; resolve: (r: Response) => void }
-  const state: State = {
-    buf: '',
-    resolve: () => {},
-  }
+  return new Promise<Response>((resolve) => {
+    let buf = ''
+    let settled = false
+    let sock: NetSocket | null = null
+    let timer: ReturnType<typeof setTimeout> | null = null
 
-  const replyPromise = new Promise<Response>((resolve) => {
-    state.resolve = resolve
-  })
+    const finish = (response: Response, destroy = false): void => {
+      if (settled) return
+      settled = true
+      if (timer) clearTimeout(timer)
+      if (sock) {
+        try {
+          if (destroy) sock.destroy()
+          else sock.end()
+        } catch {}
+      }
+      resolve(response)
+    }
 
-  let sock: Socket<State>
-  try {
-    sock = await Bun.connect<State>({
-      unix: path,
-      socket: {
-        data: (s, chunk) => {
-          s.data.buf += chunk.toString('utf8')
-          const newline = s.data.buf.indexOf('\n')
-          if (newline < 0) return
-          const line = s.data.buf.slice(0, newline)
-          try {
-            const parsed = JSON.parse(line) as Response
-            s.data.resolve(parsed)
-          } catch {
-            s.data.resolve({ ok: false, reason: 'invalid response from daemon' })
-          }
-          s.end()
-        },
-        close: () => {},
-        error: () => {
-          state.resolve({ ok: false, reason: 'socket error' })
-        },
-      },
+    timer = setTimeout(() => finish({ ok: false, reason: `daemon ack timeout after ${timeoutMs}ms` }, true), timeoutMs)
+    sock = connect(path)
+    sock.on('connect', () => {
+      try {
+        sock?.write(`${JSON.stringify(req)}\n`)
+      } catch (error) {
+        finish({ ok: false, reason: error instanceof Error ? error.message : String(error) }, true)
+      }
+    })
+    sock.on('data', (chunk: Buffer) => {
+      buf += chunk.toString('utf8')
+      const newline = buf.indexOf('\n')
+      if (newline < 0) return
+      const line = buf.slice(0, newline)
+      try {
+        finish(JSON.parse(line) as Response)
+      } catch {
+        finish({ ok: false, reason: 'invalid response from daemon' }, true)
+      }
+    })
+    sock.on('error', (error) => {
+      finish({ ok: false, reason: error instanceof Error ? error.message : String(error) }, true)
     })
-  } catch (error) {
-    return { ok: false, reason: error instanceof Error ? error.message : String(error) }
-  }
-  sock.data = state
-  sock.write(`${JSON.stringify(req)}\n`)
-
-  let timer: ReturnType<typeof setTimeout> | null = null
-  const timeoutPromise = new Promise<Response>((resolve) => {
-    timer = setTimeout(() => resolve({ ok: false, reason: `daemon ack timeout after ${timeoutMs}ms` }), timeoutMs)
   })
-  try {
-    return await Promise.race([replyPromise, timeoutPromise])
-  } finally {
-    if (timer) clearTimeout(timer)
-    try {
-      sock.end()
-    } catch {}
-  }
 }

package/src/hostd/daemon.ts

@@ -1,14 +1,14 @@
 import { existsSync } from 'node:fs'
 import { chmod, readdir, readFile, rename, unlink, writeFile } from 'node:fs/promises'
+import { createServer, type Server, type Socket as NetSocket } from 'node:net'
 import { join } from 'node:path'
 
-import type { Socket, UnixSocketListener } from 'bun'
-
 import type { PortForward } from '@/config'
 import { defaultDockerExec, type DockerExec } from '@/container'
 import type { PortForwardEvent } from '@/portbroker'
 import { kakaoChannelBlockSchema, lineChannelBlockSchema } from '@/secrets/schema'
 import { SecretsBackend } from '@/secrets/storage'
+import { isWindows } from '@/shared'
 
 import { isDaemonReachable } from './client'
 import type { KakaoRenewalCallbacks, KakaoRenewalLogEvent } from './kakao-renewal-manager'
@@ -121,8 +121,6 @@ const MAX_HTTP_REQUEST_BYTES = 64 * 1024
 // it's already in use by some other local service.
 const STABLE_HTTP_PORT = 8974
 
-type ServerState = { buf: string }
-
 function json(response: RpcResponse, status = 200): globalThis.Response {
   return new Response(JSON.stringify(response), {
     status,
@@ -208,12 +206,54 @@ function stringifyError(error: unknown): string {
   return error instanceof Error ? error.message : String(error)
 }
 
+function errorCode(error: Error): unknown {
+  const direct = error as Error & { code?: unknown; cause?: unknown }
+  if (direct.code !== undefined) return direct.code
+  if (direct.cause instanceof Error) return errorCode(direct.cause)
+  return undefined
+}
+
+async function listenOnSocket(server: Server, path: string, onWindows: boolean): Promise<void> {
+  await new Promise<void>((resolve, reject) => {
+    const onError = (error: Error): void => {
+      server.off('error', onError)
+      const code = errorCode(error)
+      if (code === 'EADDRINUSE' || (onWindows && error.message.includes('Failed to listen at'))) {
+        reject(new Error(`another typeclaw host daemon is already listening at ${path}`))
+        return
+      }
+      reject(error)
+    }
+    server.once('error', onError)
+    server.listen(path, () => {
+      server.off('error', onError)
+      resolve()
+    })
+  })
+}
+
+async function closeSocketServer(server: Server, sockets: Set<NetSocket>): Promise<void> {
+  await new Promise<void>((resolve) => {
+    try {
+      server.close(() => resolve())
+    } catch {
+      resolve()
+    }
+    for (const socket of sockets) {
+      try {
+        socket.destroy()
+      } catch {}
+    }
+  })
+}
+
 export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
   await ensureDirs()
   const path = opts.socket ?? socketPath()
+  const onWindows = isWindows()
 
-  if (existsSync(path)) {
-    if (await isDaemonReachable(500)) {
+  if (!onWindows && existsSync(path)) {
+    if (await isDaemonReachable(500, { socket: path })) {
       throw new Error(`another typeclaw host daemon is already listening at ${path}`)
     }
     try {
@@ -488,37 +528,37 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
     }
   }
 
-  const respond = (sock: Socket<ServerState>, response: RpcResponse): void => {
+  const respond = (socket: NetSocket, response: RpcResponse): void => {
     try {
-      sock.write(`${JSON.stringify(response)}\n`)
+      socket.write(`${JSON.stringify(response)}\n`)
     } catch {}
     try {
-      sock.end()
+      socket.end()
     } catch {}
   }
 
-  const handleData = (sock: Socket<ServerState>, chunk: Buffer): void => {
-    sock.data.buf += chunk.toString('utf8')
-    if (sock.data.buf.length > MAX_REQUEST_BUFFER_BYTES) {
-      respond(sock, { ok: false, reason: 'request exceeds buffer limit' })
+  const handleData = (socket: NetSocket, chunk: Buffer, state: { buf: string }): void => {
+    state.buf += chunk.toString('utf8')
+    if (state.buf.length > MAX_REQUEST_BUFFER_BYTES) {
+      respond(socket, { ok: false, reason: 'request exceeds buffer limit' })
       return
     }
-    let newline = sock.data.buf.indexOf('\n')
+    let newline = state.buf.indexOf('\n')
     while (newline >= 0) {
-      const line = sock.data.buf.slice(0, newline)
-      sock.data.buf = sock.data.buf.slice(newline + 1)
+      const line = state.buf.slice(0, newline)
+      state.buf = state.buf.slice(newline + 1)
       let req: Request
       try {
         req = JSON.parse(line) as Request
       } catch {
-        respond(sock, { ok: false, reason: 'invalid request json' })
+        respond(socket, { ok: false, reason: 'invalid request json' })
         return
       }
       void dispatch(req).then(
-        (response) => respond(sock, response),
-        (error) => respond(sock, { ok: false, reason: error instanceof Error ? error.message : String(error) }),
+        (response) => respond(socket, response),
+        (error) => respond(socket, { ok: false, reason: error instanceof Error ? error.message : String(error) }),
       )
-      newline = sock.data.buf.indexOf('\n')
+      newline = state.buf.indexOf('\n')
     }
   }
 
@@ -599,25 +639,28 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
   }
 
   // Boot-time restore: replay every persisted registration into the in-memory
-  // maps and revive portbroker for it. Runs before Bun.listen so the socket
+  // maps and revive portbroker for it. Runs before the IPC listener so the socket
   // is never accepting RPCs against a half-restored registry. A bad file
   // (parse error, schema mismatch) is logged-and-skipped — one corrupt
   // registration must not gate every other container's recovery.
   await restorePersistedRegistrations(applyRegistration, log, probeContainerAlive, removeRegistrationFile)
 
-  const listener: UnixSocketListener<ServerState> = Bun.listen<ServerState>({
-    unix: path,
-    socket: {
-      open: (sock) => {
-        sock.data = { buf: '' }
-      },
-      data: handleData,
-      close: () => {},
-      error: () => {},
-    },
+  const sockets = new Set<NetSocket>()
+  const listener = createServer((socket) => {
+    const state = { buf: '' }
+    sockets.add(socket)
+    socket.on('data', (chunk: Buffer) => handleData(socket, chunk, state))
+    socket.on('close', () => sockets.delete(socket))
+    socket.on('error', () => {})
   })
-  // Restrict socket to the owning user; ~/.typeclaw/run is also 0700.
-  await chmod(path, 0o600).catch(() => {})
+  try {
+    await listenOnSocket(listener, path, onWindows)
+  } catch (error) {
+    httpServer.stop(true)
+    throw error
+  }
+  // Restrict POSIX sockets to the owning user; ~/.typeclaw/run is also 0700.
+  if (!onWindows) await chmod(path, 0o600).catch(() => {})
   log({ kind: 'daemon-listening', socket: path })
 
   const runGc = async (): Promise<void> => {
@@ -658,9 +701,7 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
       stopped = true
       log({ kind: 'daemon-stopping' })
       clearInterval(gcTimer)
-      try {
-        listener.stop(true)
-      } catch {}
+      await closeSocketServer(listener, sockets)
       httpServer.stop(true)
       if (opts.portbroker) {
         const names = Array.from(cwds.keys())
@@ -672,9 +713,11 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
       }
       cwds.clear()
       restartTokens.clear()
-      try {
-        if (existsSync(path)) await unlink(path)
-      } catch {}
+      if (!onWindows) {
+        try {
+          if (existsSync(path)) await unlink(path)
+        } catch {}
+      }
     },
   }
   return daemonHandle

package/src/hostd/paths.ts

@@ -1,6 +1,9 @@
+import { createHash } from 'node:crypto'
 import { chmod, mkdir } from 'node:fs/promises'
-import { homedir } from 'node:os'
-import { join } from 'node:path'
+import { homedir, userInfo } from 'node:os'
+import { join, resolve } from 'node:path'
+
+import { isWindows } from '@/shared'
 
 // Fixed in-container path where the host daemon's run dir is bind-mounted.
 // The agent uses this to reach the host daemon (e.g. for the `restart` tool).
@@ -33,9 +36,26 @@ export function logDir(): string {
 }
 
 export function socketPath(): string {
+  if (isWindows()) return windowsPipePath()
   return join(runDir(), SOCKET_FILE)
 }
 
+function windowsPipePath(): string {
+  const uid =
+    typeof process.getuid === 'function'
+      ? `uid:${process.getuid()}`
+      : `user:${process.env.USERDOMAIN ?? ''}\\${userInfo().username}`
+  // Locale-invariant lowercasing: toLocaleLowerCase under e.g. tr-TR would map
+  // 'I' to a dotless 'ı', hashing the same path differently per process locale.
+  const scopedHome = resolve(homeRoot()).toLowerCase()
+  const hash = createHash('sha256').update(`${uid}\0${scopedHome}`).digest('hex').slice(0, 32)
+
+  // Node's net named-pipe API has no portable ACL hook. TypeClaw accepts that
+  // under the single-tenant dev-box model; the per-user/per-home pipe name keeps
+  // the pipe scoped, while the separate HTTP leg remains restart/secrets-only.
+  return `\\\\.\\pipe\\typeclaw-hostd-${hash}`
+}
+
 export function pidfilePath(): string {
   return join(runDir(), 'hostd.pid')
 }

package/src/hostd/spawn.ts

@@ -1,6 +1,8 @@
 import { existsSync } from 'node:fs'
 import { open, readFile, unlink, writeFile } from 'node:fs/promises'
 
+import { isWindows } from '@/shared'
+
 import { isDaemonReachable, send } from './client'
 import { ensureDirs, lockfilePath, logfilePath, pidfilePath, socketPath } from './paths'
 import type { HttpInfoResult, VersionResult } from './protocol'
@@ -75,6 +77,11 @@ async function requestShutdownAndWait(): Promise<boolean> {
   if (!reply.ok) return false
   const deadline = Date.now() + SHUTDOWN_TIMEOUT_MS
   while (Date.now() < deadline) {
+    if (isWindows()) {
+      if (!(await isDaemonReachable(POLL_INTERVAL_MS))) return true
+      await sleep(POLL_INTERVAL_MS)
+      continue
+    }
     if (!existsSync(socketPath())) return true
     await sleep(POLL_INTERVAL_MS)
   }

package/src/hostd/tailscale.ts

@@ -1,4 +1,5 @@
 import { getBun } from '@/container/shared'
+import { isMacOS, isWindows } from '@/shared'
 
 export type TailscaleExecResult = { exitCode: number; stdout: string; stderr: string }
 export type TailscaleExec = (args: string[]) => Promise<TailscaleExecResult>
@@ -33,6 +34,7 @@ type TailscaleStatus = {
 }
 
 const MACOS_APP_CLI = '/Applications/Tailscale.app/Contents/MacOS/Tailscale'
+const WINDOWS_CLI = 'C:\\Program Files\\Tailscale\\tailscale.exe'
 
 export function createTailscaleServeManager(opts: TailscaleServeManagerOptions): TailscaleServeManager {
   const exec = opts.exec ?? defaultTailscaleExec
@@ -129,8 +131,17 @@ async function checkRunning(exec: TailscaleExec): Promise<{ ok: true } | { ok: f
   return { ok: true }
 }
 
+// `tailscale` on PATH is tried first everywhere; the platform-specific absolute
+// path is a fallback for GUI installs that leave the CLI off PATH (the macOS app
+// bundle, the Windows default install dir).
+export function tailscaleCandidates(platform: NodeJS.Platform = process.platform): string[] {
+  if (isMacOS(platform)) return ['tailscale', MACOS_APP_CLI]
+  if (isWindows(platform)) return ['tailscale', WINDOWS_CLI]
+  return ['tailscale']
+}
+
 export const defaultTailscaleExec: TailscaleExec = async (args) => {
-  const candidates = process.platform === 'darwin' ? ['tailscale', MACOS_APP_CLI] : ['tailscale']
+  const candidates = tailscaleCandidates()
   let lastError = 'tailscale command not found'
 
   for (const candidate of candidates) {