typeclaw 0.37.4 → 0.37.5

package/src/cli/inspect.ts

@@ -1,7 +1,6 @@
 import { defineCommand } from 'citty'
 
 import { requireContainerRunning, resolveHostPort, resolveTuiToken } from '@/container'
-import { findAgentDir } from '@/init'
 import {
   fetchLiveSessions,
   listViewerItems,
@@ -20,6 +19,7 @@ import {
 import { originLabel, shortSessionId } from '@/inspect/label'
 
 import { createTailScope } from './inspect-controller'
+import { requireAgentDir } from './require-agent-dir'
 import { cancel, c, errorLine, isCancel, prepareStdinForClack } from './ui'
 
 const ESC_DEBOUNCE_MS = 50
@@ -51,7 +51,7 @@ export const inspectCommand = defineCommand({
     },
   },
   async run({ args }) {
-    const cwd = findAgentDir(process.cwd()) ?? process.cwd()
+    const cwd = requireAgentDir()
     const color = useColor()
     const sessionArg = typeof args.session === 'string' ? args.session : undefined
     const filterArg = typeof args.filter === 'string' ? args.filter : undefined

package/src/cli/logs.ts

@@ -1,9 +1,9 @@
 import { defineCommand } from 'citty'
 
 import { logs, parseTailValue } from '@/container'
-import { findAgentDir } from '@/init'
 
 import { runInspectViewer } from './inspect'
+import { requireAgentDir } from './require-agent-dir'
 import { c, errorLine } from './ui'
 
 export const logsCommand = defineCommand({
@@ -30,7 +30,7 @@ export const logsCommand = defineCommand({
     },
   },
   async run({ args }) {
-    const cwd = findAgentDir(process.cwd()) ?? process.cwd()
+    const cwd = requireAgentDir()
 
     let tail: string | undefined
     if (args.tail !== undefined) {

package/src/cli/require-agent-dir.ts

@@ -0,0 +1,31 @@
+import { findAgentDir, isInitialized } from '@/init'
+
+import { errorLine } from './ui'
+
+export type RequiredAgentDir = { ok: true; cwd: string } | { ok: false; message: string }
+
+const NOT_AN_AGENT_FOLDER = 'TypeClaw config file not found. Run `typeclaw init` first, or cd into an agent folder.'
+
+// Operational host-stage commands (inspect, tui, logs, stop, shell, dreams) act
+// on a specific agent's container or on-disk state, so they must run from inside
+// an agent folder. The `findAgentDir(...) ?? startDir` fallback every caller used
+// silently degraded these commands into an agent-less view — e.g. `inspect` would
+// warn "container not running" and then offer only the container-logs row — instead
+// of failing. Resolving to a fail result keeps the existence check explicit.
+//
+// Diagnostic commands (status, doctor, role list) deliberately tolerate a missing
+// agent folder and must NOT use this gate.
+export function resolveRequiredAgentDir(startDir: string): RequiredAgentDir {
+  const cwd = findAgentDir(startDir) ?? startDir
+  if (!isInitialized(cwd)) return { ok: false, message: NOT_AN_AGENT_FOLDER }
+  return { ok: true, cwd }
+}
+
+export function requireAgentDir(startDir: string = process.cwd()): string {
+  const result = resolveRequiredAgentDir(startDir)
+  if (!result.ok) {
+    console.error(errorLine(result.message))
+    process.exit(1)
+  }
+  return result.cwd
+}

package/src/cli/shell.ts

@@ -1,8 +1,8 @@
 import { defineCommand } from 'citty'
 
 import { shell } from '@/container'
-import { findAgentDir } from '@/init'
 
+import { requireAgentDir } from './require-agent-dir'
 import { c, errorLine } from './ui'
 
 export const shellCommand = defineCommand({
@@ -18,7 +18,7 @@ export const shellCommand = defineCommand({
     },
   },
   async run({ args }) {
-    const cwd = findAgentDir(process.cwd()) ?? process.cwd()
+    const cwd = requireAgentDir()
 
     console.log(c.cyan(`Attaching ${args.shell} inside the container...`))
 

package/src/cli/stop.ts

@@ -1,8 +1,8 @@
 import { defineCommand } from 'citty'
 
 import { stop } from '@/container'
-import { findAgentDir } from '@/init'
 
+import { requireAgentDir } from './require-agent-dir'
 import { c, spinner } from './ui'
 
 export const stopCommand = defineCommand({
@@ -11,7 +11,7 @@ export const stopCommand = defineCommand({
     description: 'stop the agent container (host stage)',
   },
   async run() {
-    const cwd = findAgentDir(process.cwd()) ?? process.cwd()
+    const cwd = requireAgentDir()
 
     const s = spinner()
     s.start('Stopping container...')

package/src/cli/tui.ts

@@ -1,12 +1,12 @@
 import { defineCommand } from 'citty'
 
 import { requireContainerRunning, resolveHostPort, resolveTuiToken } from '@/container'
-import { findAgentDir } from '@/init'
 import { CLI_VERSION } from '@/init/cli-version'
 import { runTuiViewer } from '@/inspect'
 import { formatVersionMismatchWarning } from '@/tui'
 
 import { runInspectViewer } from './inspect'
+import { requireAgentDir } from './require-agent-dir'
 import { errorLine } from './ui'
 
 export const tui = defineCommand({
@@ -27,9 +27,22 @@ export const tui = defineCommand({
     },
   },
   async run({ args }) {
-    const cwd = findAgentDir(process.cwd()) ?? process.cwd()
-    const resolveUrl: () => Promise<string> =
-      args.url !== undefined ? async () => args.url as string : () => defaultUrl(cwd)
+    // An explicit --url targets an agent over the wire and needs no local agent
+    // folder — only the default-URL discovery and the esc-detach picker read
+    // local state. Require an agent folder only when --url is absent, mirroring
+    // how reload/cron/role claim gate their default-target path, not the whole
+    // command.
+    const explicitUrl = typeof args.url === 'string' ? args.url : undefined
+    let cwd: string | undefined
+    let resolveUrl: () => Promise<string>
+    if (explicitUrl === undefined) {
+      const agentDir = requireAgentDir()
+      cwd = agentDir
+      resolveUrl = () => defaultUrl(agentDir)
+    } else {
+      cwd = undefined
+      resolveUrl = async () => explicitUrl
+    }
 
     const result = await runTuiViewer({
       resolveUrl,
@@ -45,8 +58,9 @@ export const tui = defineCommand({
     // can pick another session or the container logs — `tui` is just a deep-link
     // into the session viewer, pre-opened on the live session. allowWritable
     // is false because detaching ended the live session, so no row may be
-    // offered as a writable "live TUI" anymore.
-    if (result.ok && result.escToPicker === true) {
+    // offered as a writable "live TUI" anymore. A --url-only run has no local
+    // agent folder to browse, so it exits instead of opening the local picker.
+    if (result.ok && result.escToPicker === true && cwd !== undefined) {
       const viewerExit = await runInspectViewer({ cwd, allowWritable: false })
       process.exit(viewerExit)
       return

package/src/container/shared.ts

@@ -1,3 +1,4 @@
+import { createHash } from 'node:crypto'
 import { basename, resolve } from 'node:path'
 
 export type DockerExecResult = { exitCode: number; stdout: string; stderr: string }
@@ -249,8 +250,25 @@ export function imageTagFromCwd(cwd: string): string {
 }
 
 // Docker container names must match [a-zA-Z0-9][a-zA-Z0-9_.-]*.
+//
+// Non-ASCII names (Korean/CJK/Cyrillic/accented Latin — the common Windows case
+// where the profile folder is a localized display name, e.g. C:\Users\사용자\봇)
+// have every out-of-charset character collapsed to a dash, so distinct folders
+// reduce to the SAME string: '봇' and '집' both → 'tc--'. The container name keys
+// hostd registration and the secrets key path, so that collision is silent
+// host-side state clobbering, not cosmetics. For any name carrying a non-ASCII
+// char we append a deterministic hash of the original (cf. makeUntitledSlug in
+// the memory plugin) to keep distinct folders distinct; surviving ASCII stays a
+// readable prefix. ASCII-only names take the original branch — never renamed.
 function sanitizeContainerName(name: string): string {
   const cleaned = name.replace(/[^a-zA-Z0-9_.-]/g, '-')
+  if (/[^\u0000-\u007f]/.test(name)) {
+    const hash = createHash('sha256').update(name).digest('hex').slice(0, 8)
+    const remnant = cleaned.replace(/-+/g, '-').replace(/^-+|-+$/g, '')
+    if (remnant === '') return `tc-${hash}`
+    const base = /^[a-zA-Z0-9]/.test(remnant) ? remnant : `tc-${remnant}`
+    return `${base}-${hash}`
+  }
   if (cleaned === '' || !/^[a-zA-Z0-9]/.test(cleaned)) {
     return `tc-${cleaned || 'agent'}`
   }

package/src/container/start.ts

@@ -671,7 +671,7 @@ export async function planStart({
   // so mounting an empty cache would only invite a confusing local_files_only
   // miss if something inside the container reached for the model anyway.
   if (agentUsesVector(cwd)) {
-    runArgs.push('-v', `${homeRoot()}/models:/opt/models:ro`)
+    runArgs.push('-v', `${join(homeRoot(), 'models')}:/opt/models:ro`)
     runArgs.push('-e', 'TYPECLAW_MODEL_CACHE=/opt/models')
   }
 

package/src/hostd/client.ts

@@ -1,16 +1,21 @@
 import { existsSync } from 'node:fs'
+import { connect, type Socket as NetSocket } from 'node:net'
 
-import type { Socket } from 'bun'
+import { isWindows } from '@/shared'
 
 import { socketPath } from './paths'
 import type { Request, Response } from './protocol'
 
 const DEFAULT_TIMEOUT_MS = 3_000
 
-export async function isDaemonReachable(timeoutMs = DEFAULT_TIMEOUT_MS): Promise<boolean> {
-  if (!existsSync(socketPath())) return false
+export async function isDaemonReachable(
+  timeoutMs = DEFAULT_TIMEOUT_MS,
+  opts: Pick<SendOptions, 'socket'> = {},
+): Promise<boolean> {
+  const path = opts.socket ?? socketPath()
+  if (!isWindows() && !existsSync(path)) return false
   try {
-    const reply = await send({ kind: 'list' }, { timeoutMs })
+    const reply = await send({ kind: 'list' }, { timeoutMs, socket: path })
     return reply.ok
   } catch {
     return false
@@ -58,56 +63,47 @@ export async function send(req: Request, opts: SendOptions = {}): Promise<Respon
   const path = opts.socket ?? socketPath()
   const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS
 
-  type State = { buf: string; resolve: (r: Response) => void }
-  const state: State = {
-    buf: '',
-    resolve: () => {},
-  }
+  return new Promise<Response>((resolve) => {
+    let buf = ''
+    let settled = false
+    let sock: NetSocket | null = null
+    let timer: ReturnType<typeof setTimeout> | null = null
 
-  const replyPromise = new Promise<Response>((resolve) => {
-    state.resolve = resolve
-  })
+    const finish = (response: Response, destroy = false): void => {
+      if (settled) return
+      settled = true
+      if (timer) clearTimeout(timer)
+      if (sock) {
+        try {
+          if (destroy) sock.destroy()
+          else sock.end()
+        } catch {}
+      }
+      resolve(response)
+    }
 
-  let sock: Socket<State>
-  try {
-    sock = await Bun.connect<State>({
-      unix: path,
-      socket: {
-        data: (s, chunk) => {
-          s.data.buf += chunk.toString('utf8')
-          const newline = s.data.buf.indexOf('\n')
-          if (newline < 0) return
-          const line = s.data.buf.slice(0, newline)
-          try {
-            const parsed = JSON.parse(line) as Response
-            s.data.resolve(parsed)
-          } catch {
-            s.data.resolve({ ok: false, reason: 'invalid response from daemon' })
-          }
-          s.end()
-        },
-        close: () => {},
-        error: () => {
-          state.resolve({ ok: false, reason: 'socket error' })
-        },
-      },
+    timer = setTimeout(() => finish({ ok: false, reason: `daemon ack timeout after ${timeoutMs}ms` }, true), timeoutMs)
+    sock = connect(path)
+    sock.on('connect', () => {
+      try {
+        sock?.write(`${JSON.stringify(req)}\n`)
+      } catch (error) {
+        finish({ ok: false, reason: error instanceof Error ? error.message : String(error) }, true)
+      }
+    })
+    sock.on('data', (chunk: Buffer) => {
+      buf += chunk.toString('utf8')
+      const newline = buf.indexOf('\n')
+      if (newline < 0) return
+      const line = buf.slice(0, newline)
+      try {
+        finish(JSON.parse(line) as Response)
+      } catch {
+        finish({ ok: false, reason: 'invalid response from daemon' }, true)
+      }
+    })
+    sock.on('error', (error) => {
+      finish({ ok: false, reason: error instanceof Error ? error.message : String(error) }, true)
     })
-  } catch (error) {
-    return { ok: false, reason: error instanceof Error ? error.message : String(error) }
-  }
-  sock.data = state
-  sock.write(`${JSON.stringify(req)}\n`)
-
-  let timer: ReturnType<typeof setTimeout> | null = null
-  const timeoutPromise = new Promise<Response>((resolve) => {
-    timer = setTimeout(() => resolve({ ok: false, reason: `daemon ack timeout after ${timeoutMs}ms` }), timeoutMs)
   })
-  try {
-    return await Promise.race([replyPromise, timeoutPromise])
-  } finally {
-    if (timer) clearTimeout(timer)
-    try {
-      sock.end()
-    } catch {}
-  }
 }

package/src/hostd/daemon.ts

@@ -1,14 +1,14 @@
 import { existsSync } from 'node:fs'
 import { chmod, readdir, readFile, rename, unlink, writeFile } from 'node:fs/promises'
+import { createServer, type Server, type Socket as NetSocket } from 'node:net'
 import { join } from 'node:path'
 
-import type { Socket, UnixSocketListener } from 'bun'
-
 import type { PortForward } from '@/config'
 import { defaultDockerExec, type DockerExec } from '@/container'
 import type { PortForwardEvent } from '@/portbroker'
 import { kakaoChannelBlockSchema, lineChannelBlockSchema } from '@/secrets/schema'
 import { SecretsBackend } from '@/secrets/storage'
+import { isWindows } from '@/shared'
 
 import { isDaemonReachable } from './client'
 import type { KakaoRenewalCallbacks, KakaoRenewalLogEvent } from './kakao-renewal-manager'
@@ -121,8 +121,6 @@ const MAX_HTTP_REQUEST_BYTES = 64 * 1024
 // it's already in use by some other local service.
 const STABLE_HTTP_PORT = 8974
 
-type ServerState = { buf: string }
-
 function json(response: RpcResponse, status = 200): globalThis.Response {
   return new Response(JSON.stringify(response), {
     status,
@@ -208,12 +206,54 @@ function stringifyError(error: unknown): string {
   return error instanceof Error ? error.message : String(error)
 }
 
+function errorCode(error: Error): unknown {
+  const direct = error as Error & { code?: unknown; cause?: unknown }
+  if (direct.code !== undefined) return direct.code
+  if (direct.cause instanceof Error) return errorCode(direct.cause)
+  return undefined
+}
+
+async function listenOnSocket(server: Server, path: string, onWindows: boolean): Promise<void> {
+  await new Promise<void>((resolve, reject) => {
+    const onError = (error: Error): void => {
+      server.off('error', onError)
+      const code = errorCode(error)
+      if (code === 'EADDRINUSE' || (onWindows && error.message.includes('Failed to listen at'))) {
+        reject(new Error(`another typeclaw host daemon is already listening at ${path}`))
+        return
+      }
+      reject(error)
+    }
+    server.once('error', onError)
+    server.listen(path, () => {
+      server.off('error', onError)
+      resolve()
+    })
+  })
+}
+
+async function closeSocketServer(server: Server, sockets: Set<NetSocket>): Promise<void> {
+  await new Promise<void>((resolve) => {
+    try {
+      server.close(() => resolve())
+    } catch {
+      resolve()
+    }
+    for (const socket of sockets) {
+      try {
+        socket.destroy()
+      } catch {}
+    }
+  })
+}
+
 export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
   await ensureDirs()
   const path = opts.socket ?? socketPath()
+  const onWindows = isWindows()
 
-  if (existsSync(path)) {
-    if (await isDaemonReachable(500)) {
+  if (!onWindows && existsSync(path)) {
+    if (await isDaemonReachable(500, { socket: path })) {
       throw new Error(`another typeclaw host daemon is already listening at ${path}`)
     }
     try {
@@ -488,37 +528,37 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
     }
   }
 
-  const respond = (sock: Socket<ServerState>, response: RpcResponse): void => {
+  const respond = (socket: NetSocket, response: RpcResponse): void => {
     try {
-      sock.write(`${JSON.stringify(response)}\n`)
+      socket.write(`${JSON.stringify(response)}\n`)
     } catch {}
     try {
-      sock.end()
+      socket.end()
     } catch {}
   }
 
-  const handleData = (sock: Socket<ServerState>, chunk: Buffer): void => {
-    sock.data.buf += chunk.toString('utf8')
-    if (sock.data.buf.length > MAX_REQUEST_BUFFER_BYTES) {
-      respond(sock, { ok: false, reason: 'request exceeds buffer limit' })
+  const handleData = (socket: NetSocket, chunk: Buffer, state: { buf: string }): void => {
+    state.buf += chunk.toString('utf8')
+    if (state.buf.length > MAX_REQUEST_BUFFER_BYTES) {
+      respond(socket, { ok: false, reason: 'request exceeds buffer limit' })
       return
     }
-    let newline = sock.data.buf.indexOf('\n')
+    let newline = state.buf.indexOf('\n')
     while (newline >= 0) {
-      const line = sock.data.buf.slice(0, newline)
-      sock.data.buf = sock.data.buf.slice(newline + 1)
+      const line = state.buf.slice(0, newline)
+      state.buf = state.buf.slice(newline + 1)
       let req: Request
       try {
         req = JSON.parse(line) as Request
       } catch {
-        respond(sock, { ok: false, reason: 'invalid request json' })
+        respond(socket, { ok: false, reason: 'invalid request json' })
         return
       }
       void dispatch(req).then(
-        (response) => respond(sock, response),
-        (error) => respond(sock, { ok: false, reason: error instanceof Error ? error.message : String(error) }),
+        (response) => respond(socket, response),
+        (error) => respond(socket, { ok: false, reason: error instanceof Error ? error.message : String(error) }),
       )
-      newline = sock.data.buf.indexOf('\n')
+      newline = state.buf.indexOf('\n')
     }
   }
 
@@ -599,25 +639,28 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
   }
 
   // Boot-time restore: replay every persisted registration into the in-memory
-  // maps and revive portbroker for it. Runs before Bun.listen so the socket
+  // maps and revive portbroker for it. Runs before the IPC listener so the socket
   // is never accepting RPCs against a half-restored registry. A bad file
   // (parse error, schema mismatch) is logged-and-skipped — one corrupt
   // registration must not gate every other container's recovery.
   await restorePersistedRegistrations(applyRegistration, log, probeContainerAlive, removeRegistrationFile)
 
-  const listener: UnixSocketListener<ServerState> = Bun.listen<ServerState>({
-    unix: path,
-    socket: {
-      open: (sock) => {
-        sock.data = { buf: '' }
-      },
-      data: handleData,
-      close: () => {},
-      error: () => {},
-    },
+  const sockets = new Set<NetSocket>()
+  const listener = createServer((socket) => {
+    const state = { buf: '' }
+    sockets.add(socket)
+    socket.on('data', (chunk: Buffer) => handleData(socket, chunk, state))
+    socket.on('close', () => sockets.delete(socket))
+    socket.on('error', () => {})
   })
-  // Restrict socket to the owning user; ~/.typeclaw/run is also 0700.
-  await chmod(path, 0o600).catch(() => {})
+  try {
+    await listenOnSocket(listener, path, onWindows)
+  } catch (error) {
+    httpServer.stop(true)
+    throw error
+  }
+  // Restrict POSIX sockets to the owning user; ~/.typeclaw/run is also 0700.
+  if (!onWindows) await chmod(path, 0o600).catch(() => {})
   log({ kind: 'daemon-listening', socket: path })
 
   const runGc = async (): Promise<void> => {
@@ -658,9 +701,7 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
       stopped = true
       log({ kind: 'daemon-stopping' })
       clearInterval(gcTimer)
-      try {
-        listener.stop(true)
-      } catch {}
+      await closeSocketServer(listener, sockets)
       httpServer.stop(true)
       if (opts.portbroker) {
         const names = Array.from(cwds.keys())
@@ -672,9 +713,11 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
       }
       cwds.clear()
       restartTokens.clear()
-      try {
-        if (existsSync(path)) await unlink(path)
-      } catch {}
+      if (!onWindows) {
+        try {
+          if (existsSync(path)) await unlink(path)
+        } catch {}
+      }
     },
   }
   return daemonHandle

package/src/hostd/paths.ts

@@ -1,6 +1,9 @@
+import { createHash } from 'node:crypto'
 import { chmod, mkdir } from 'node:fs/promises'
-import { homedir } from 'node:os'
-import { join } from 'node:path'
+import { homedir, userInfo } from 'node:os'
+import { join, resolve } from 'node:path'
+
+import { isWindows } from '@/shared'
 
 // Fixed in-container path where the host daemon's run dir is bind-mounted.
 // The agent uses this to reach the host daemon (e.g. for the `restart` tool).
@@ -33,9 +36,26 @@ export function logDir(): string {
 }
 
 export function socketPath(): string {
+  if (isWindows()) return windowsPipePath()
   return join(runDir(), SOCKET_FILE)
 }
 
+function windowsPipePath(): string {
+  const uid =
+    typeof process.getuid === 'function'
+      ? `uid:${process.getuid()}`
+      : `user:${process.env.USERDOMAIN ?? ''}\\${userInfo().username}`
+  // Locale-invariant lowercasing: toLocaleLowerCase under e.g. tr-TR would map
+  // 'I' to a dotless 'ı', hashing the same path differently per process locale.
+  const scopedHome = resolve(homeRoot()).toLowerCase()
+  const hash = createHash('sha256').update(`${uid}\0${scopedHome}`).digest('hex').slice(0, 32)
+
+  // Node's net named-pipe API has no portable ACL hook. TypeClaw accepts that
+  // under the single-tenant dev-box model; the per-user/per-home pipe name keeps
+  // the pipe scoped, while the separate HTTP leg remains restart/secrets-only.
+  return `\\\\.\\pipe\\typeclaw-hostd-${hash}`
+}
+
 export function pidfilePath(): string {
   return join(runDir(), 'hostd.pid')
 }

package/src/hostd/spawn.ts

@@ -1,6 +1,8 @@
 import { existsSync } from 'node:fs'
 import { open, readFile, unlink, writeFile } from 'node:fs/promises'
 
+import { isWindows } from '@/shared'
+
 import { isDaemonReachable, send } from './client'
 import { ensureDirs, lockfilePath, logfilePath, pidfilePath, socketPath } from './paths'
 import type { HttpInfoResult, VersionResult } from './protocol'
@@ -75,6 +77,11 @@ async function requestShutdownAndWait(): Promise<boolean> {
   if (!reply.ok) return false
   const deadline = Date.now() + SHUTDOWN_TIMEOUT_MS
   while (Date.now() < deadline) {
+    if (isWindows()) {
+      if (!(await isDaemonReachable(POLL_INTERVAL_MS))) return true
+      await sleep(POLL_INTERVAL_MS)
+      continue
+    }
     if (!existsSync(socketPath())) return true
     await sleep(POLL_INTERVAL_MS)
   }

package/src/init/kakaotalk-auth.ts

@@ -1,4 +1,4 @@
-import { join, resolve } from 'node:path'
+import { join, posix, resolve } from 'node:path'
 
 import { loginFlow as upstreamLoginFlow } from 'agent-messenger/kakaotalk'
 
@@ -34,7 +34,7 @@ export type LoginFlowOptions = Parameters<LoginFlowFn>[0]
 export type LoginFlowResult = Awaited<ReturnType<LoginFlowFn>>
 
 export function kakaotalkConfigDir(agentDir: string): string {
-  return join(agentDir, 'workspace', '.agent-messenger')
+  return posix.join(agentDir, 'workspace', '.agent-messenger')
 }
 
 export function kakaotalkSecretsPath(agentDir: string): string {

package/src/init/packagejson.ts

@@ -1,6 +1,6 @@
 import { existsSync } from 'node:fs'
 import { mkdir, readFile, writeFile } from 'node:fs/promises'
-import { join } from 'node:path'
+import { join, posix } from 'node:path'
 
 import { GITKEEP_FILE, PACKAGES_DIR } from './paths'
 
@@ -33,7 +33,7 @@ export async function refreshPackageJson(cwd: string): Promise<PackageJsonRefres
     if (updated) changed.push(PACKAGE_FILE)
   }
 
-  const gitkeepRel = join(PACKAGES_DIR, GITKEEP_FILE)
+  const gitkeepRel = posix.join(PACKAGES_DIR, GITKEEP_FILE)
   const gitkeepPath = join(cwd, gitkeepRel)
   if (!existsSync(gitkeepPath)) {
     await mkdir(join(cwd, PACKAGES_DIR), { recursive: true })

package/src/plugin/loader.ts

@@ -61,8 +61,7 @@ async function loadLocal(entry: string, agentDir: string): Promise<ResolvedPlugi
   if (!existsSync(resolved)) {
     throw new PluginNotFoundError(entry, `plugin path does not exist: ${entry} (resolved to ${resolved})`)
   }
-  const url = pathToFileURL(resolved).href
-  const mod = (await import(url)) as { default?: unknown }
+  const mod = (await import(toModuleSpecifier(resolved))) as { default?: unknown }
   const defined = expectDefined(mod, entry)
   const name = basename(resolved).replace(/\.(ts|tsx|js|mjs|cjs)$/i, '')
   return { name, version: undefined, source: entry, defined }
@@ -108,10 +107,10 @@ async function loadNpm(entry: string, agentDir: string): Promise<ResolvedPlugin>
   // located on disk; the else branch lets Bun's resolver read `exports` maps.
   let importTarget: string
   if (entryPath !== null) {
-    importTarget = pathToFileURL(entryPath).href
+    importTarget = toModuleSpecifier(entryPath)
   } else {
     try {
-      importTarget = Bun.resolveSync(packageName, agentDir)
+      importTarget = toModuleSpecifier(Bun.resolveSync(packageName, agentDir))
     } catch (err) {
       throw new PluginNotFoundError(entry, `cannot resolve plugin "${entry}": ${describeError(err)}`, { cause: err })
     }
@@ -151,6 +150,10 @@ function describeError(err: unknown): string {
   return err instanceof Error ? err.message : String(err)
 }
 
+function toModuleSpecifier(target: string): string {
+  return isAbsolute(target) ? pathToFileURL(target).href : target
+}
+
 function findPackageJson(entry: string, agentDir: string): string | null {
   const PACKAGE_JSON = 'package.json'
   let cur = agentDir