typeclaw 0.37.4 → 0.37.6

package/src/config/config.ts

@@ -1168,7 +1168,7 @@ function persistMigratedConfig(cwd: string, json: unknown, applied: readonly Mig
   }
 }
 
-export type ValidateConfigResult = { ok: true } | { ok: false; reason: string }
+export type ValidateConfigResult = { ok: true; warnings?: string[] } | { ok: false; reason: string }
 
 // Missing file → ok (matches `loadMounts` in src/container/up.ts; `isInitialized`
 // is the dedicated check for "not initialized"). Present but invalid → fail, so
@@ -1200,6 +1200,18 @@ export function validateConfig(cwd: string, options: ValidateConfigOptions = {})
   const parsed = parseConfigJson(raw, { migrate: true, persistTarget: cwd })
   if (!parsed.ok) return parsed
 
+  const allowUnsafeAppend = process.env[ALLOW_UNSAFE_DOCKER_APPEND_ENV] === '1'
+  const warnings: string[] = []
+  const appendLines = parsed.config.docker.file.append
+  for (let i = 0; i < appendLines.length; i++) {
+    const check = validateDockerfileAppendLine(appendLines[i]!)
+    if (!check.ok) {
+      if (check.kind === 'semantic' && allowUnsafeAppend) continue
+      return { ok: false, reason: `docker.file.append[${i}] ${check.reason}` }
+    }
+    if (check.warning) warnings.push(`docker.file.append[${i}] ${check.warning}`)
+  }
+
   if (!options.skipMounts) {
     for (const mount of parsed.config.mounts) {
       const check = validateMount(mount, cwd)
@@ -1207,7 +1219,7 @@ export function validateConfig(cwd: string, options: ValidateConfigOptions = {})
     }
   }
 
-  return { ok: true }
+  return warnings.length > 0 ? { ok: true, warnings } : { ok: true }
 }
 
 export type ParseConfigJsonResult = { ok: true; config: Config } | { ok: false; reason: string }
@@ -1253,11 +1265,15 @@ export function parseConfigJson(raw: string, options: ParseConfigJsonOptions = {
   return { ok: true, config: result.data }
 }
 
-// Verifies a mount's host path: exists, is a directory, is readable, and is
-// writable when not declared `readOnly`. Symlinks are followed (statSync's
-// default) so a broken symlink reads as "does not exist". Permission checks
-// are skipped when running as root (uid 0) — euidaccess returns success
-// regardless, so the test would be vacuous and inconsistent with non-root.
+// Verifies a mount's host path: exists, is a regular file or directory, is
+// readable, and is writable when not declared `readOnly`. Symlinks are
+// followed (statSync's default) so a broken symlink reads as "does not exist".
+// File mounts are allowed so credentials and config can be exposed as a single
+// path (e.g. an SSH private key); sockets, FIFOs, and devices are rejected
+// because exposing them is an advanced, security-sensitive case we don't take
+// implicitly. Permission checks are skipped when running as root (uid 0) —
+// euidaccess returns success regardless, so the test would be vacuous and
+// inconsistent with non-root.
 export function validateMount(mount: Mount, cwd: string): ValidateConfigResult {
   const resolved = expandMountPath(mount.path, cwd)
   const label = `mount "${mount.name}"`
@@ -1274,8 +1290,8 @@ export function validateMount(mount: Mount, cwd: string): ValidateConfigResult {
     return { ok: false, reason: `${label}: cannot stat ${resolved}: ${detail}` }
   }
 
-  if (!stats.isDirectory()) {
-    return { ok: false, reason: `${label}: path ${resolved} is not a directory` }
+  if (!stats.isDirectory() && !stats.isFile()) {
+    return { ok: false, reason: `${label}: path ${resolved} is not a file or directory` }
   }
 
   const isRoot = typeof process.getuid === 'function' && process.getuid() === 0
@@ -1301,6 +1317,181 @@ export function validateMount(mount: Mount, cwd: string): ValidateConfigResult {
   return { ok: true }
 }
 
+// Host env (not config) on purpose: an in-container agent can edit its own
+// typeclaw.json but cannot set the env of the host `typeclaw start` that runs
+// this gate, so it can never waive its own footgun. Only relaxes SEMANTIC
+// blocks; structural blocks always fire (they break Dockerfile generation).
+const ALLOW_UNSAFE_DOCKER_APPEND_ENV = 'TYPECLAW_ALLOW_UNSAFE_DOCKER_APPEND'
+
+// FROM/ENTRYPOINT/CMD/MAINTAINER are intentionally excluded — see the
+// structural blocks in validateDockerfileAppendLine for why.
+const ALLOWED_APPEND_INSTRUCTIONS = new Set([
+  'RUN',
+  'ENV',
+  'ARG',
+  'LABEL',
+  'COPY',
+  'ADD',
+  'USER',
+  'WORKDIR',
+  'SHELL',
+  'EXPOSE',
+  'VOLUME',
+  'STOPSIGNAL',
+  'HEALTHCHECK',
+  'ONBUILD',
+])
+
+// Decode primitives that, paired with dynamic execution on the same line, form
+// the "decode an opaque blob and run it" anti-pattern that bricked a real build
+// (an agent base64-decoded the bash entrypoint shim and fed it to python3
+// exec). Matching is substring/case-insensitive — these are code tokens the
+// agent emits, not natural-language, so English literals are correct here (cf.
+// the protocol-token exception in AGENTS.md).
+const DECODE_PRIMITIVES = ['base64', 'b64decode', 'atob(', 'unhexlify', '.fromhex(', 'xxd -r']
+
+// True dynamic-execution sinks — language constructs that run a STRING as code.
+// Deliberately NOT including interpreter flags like `python3 -c`/`node -e`: a
+// benign `python3 -c "print(base64.b64encode(...))"` legitimately mentions a
+// decode primitive without ever executing the decoded bytes. The footgun is
+// decode + a real exec sink (or decode piped to an interpreter, below).
+const EXEC_PRIMITIVES = ['exec(', 'eval(', 'new function(', 'function(']
+
+// Decoded stdout piped straight into an interpreter: `base64 -d ... | sh`,
+// `... | python3`, etc. The pipe is the execution step here, so it pairs with
+// DECODE_PRIMITIVES independently of the EXEC_PRIMITIVES sinks above.
+const DECODE_PIPED_TO_INTERPRETER =
+  /\|\s*(?:sudo\s+)?(?:ba)?sh\b|\|\s*(?:sudo\s+)?python3?\b|\|\s*(?:sudo\s+)?(?:node|perl|ruby)\b/i
+
+// Risky-but-legitimate operator patterns: piping a remote script straight into
+// a shell, or ADDing a remote URL. Common enough in real build steps that a
+// hard block would frustrate power users, dangerous enough to flag.
+const APPEND_WARN_PATTERNS: Array<{ test: RegExp; note: string }> = [
+  {
+    test: /\b(?:curl|wget)\b[^|]*\|\s*(?:sudo\s+)?(?:ba)?sh\b/i,
+    note: 'pipes a remote script directly into a shell (curl|bash); verify the source is trusted',
+  },
+  {
+    test: /<\(\s*(?:curl|wget)\b/i,
+    note: 'executes a remote script via process substitution; verify the source is trusted',
+  },
+  {
+    test: /^ADD\s+https?:\/\//i,
+    note: 'ADD of a remote URL fetches an unpinned artifact at build time; prefer a pinned COPY or checksum-verified RUN',
+  },
+]
+
+export type AppendLineCheck =
+  | { ok: true; warning?: string }
+  // `structural` blocks are unconditional (they break Dockerfile generation);
+  // `semantic` blocks are waivable via the host env override.
+  | { ok: false; reason: string; kind: 'structural' | 'semantic' }
+
+// Pure, side-effect-free validator for ONE docker.file.append entry. The newline
+// rejection stays in the zod schema (dockerfileLineSchema) so it fires on every
+// parse including the agent's own config-write guard; this adds the contextual
+// policy the schema can't express cheaply. Returns the first problem found.
+export function validateDockerfileAppendLine(line: string): AppendLineCheck {
+  const trimmed = line.trim()
+
+  if (trimmed === '') {
+    return { ok: false, reason: 'is empty or whitespace-only', kind: 'structural' }
+  }
+
+  // A trailing backslash is a line continuation: it would merge the generated
+  // ENTRYPOINT (spliced right after the append block) into this instruction.
+  if (/\\\s*$/.test(line)) {
+    return {
+      ok: false,
+      reason:
+        'ends with a line-continuation backslash, which would swallow the generated ENTRYPOINT; keep each entry self-contained',
+      kind: 'structural',
+    }
+  }
+
+  // Heredoc syntax spans multiple lines by definition and cannot work in a
+  // single spliced entry — it would consume the following generated lines.
+  if (/<<-?\s*['"]?\w/.test(trimmed)) {
+    return {
+      ok: false,
+      reason: 'uses heredoc syntax (<<EOF), which cannot be expressed as a single Dockerfile line',
+      kind: 'structural',
+    }
+  }
+
+  if (trimmed.startsWith('#')) {
+    // Parser directives (`# syntax=`, `# escape=`) only have meaning at the top
+    // of a Dockerfile; spliced before ENTRYPOINT they are at best inert and at
+    // worst confusing. Plain comments are fine.
+    if (/^#\s*(syntax|escape|check)\s*=/i.test(trimmed)) {
+      return {
+        ok: false,
+        reason: 'is a parser directive (# syntax=/# escape=), which is only valid at the top of a Dockerfile',
+        kind: 'structural',
+      }
+    }
+    return { ok: true }
+  }
+
+  const instruction = trimmed.split(/\s+/, 1)[0]?.toUpperCase() ?? ''
+
+  if (instruction === 'FROM') {
+    return {
+      ok: false,
+      reason: 'starts a new build stage (FROM), discarding everything TypeClaw layered before it',
+      kind: 'structural',
+    }
+  }
+  if (instruction === 'ENTRYPOINT' || instruction === 'CMD') {
+    return {
+      ok: false,
+      reason: `overrides the container ${instruction}, which TypeClaw owns (the entrypoint shim is appended right after this block)`,
+      kind: 'structural',
+    }
+  }
+  if (!ALLOWED_APPEND_INSTRUCTIONS.has(instruction)) {
+    return {
+      ok: false,
+      reason: `does not begin with a recognized Dockerfile instruction (got "${instruction}")`,
+      kind: 'structural',
+    }
+  }
+
+  const lower = trimmed.toLowerCase()
+
+  // The actual incident: mutating TypeClaw's own entrypoint shim. This is never
+  // a supported customization surface — entrypoint changes belong in TypeClaw
+  // source, not in a build-time patch script.
+  if (lower.includes('typeclaw-entrypoint')) {
+    return {
+      ok: false,
+      reason:
+        'references the TypeClaw-owned entrypoint (typeclaw-entrypoint); patching it from docker.file.append is unsupported and brittle',
+      kind: 'semantic',
+    }
+  }
+
+  // Decode-an-opaque-blob-and-execute-it. A benign decode (encoding output,
+  // writing a file) or a bare `python3 -c "print(...)"` both pass; only decode
+  // PAIRED with a real exec sink — or piped into an interpreter — is blocked.
+  const hasDecode = DECODE_PRIMITIVES.some((p) => lower.includes(p))
+  const hasExec = EXEC_PRIMITIVES.some((p) => lower.includes(p)) || DECODE_PIPED_TO_INTERPRETER.test(lower)
+  if (hasDecode && hasExec) {
+    return {
+      ok: false,
+      reason:
+        'decodes an opaque payload and executes it (e.g. base64 + exec/eval), an obfuscated-code anti-pattern that has bricked builds',
+      kind: 'semantic',
+    }
+  }
+
+  for (const { test, note } of APPEND_WARN_PATTERNS) {
+    if (test.test(trimmed)) return { ok: true, warning: note }
+  }
+
+  return { ok: true }
+}
+
 function formatZodError(error: z.ZodError): string {
   return error.issues
     .map((issue) => {

package/src/container/shared.ts

@@ -1,3 +1,4 @@
+import { createHash } from 'node:crypto'
 import { basename, resolve } from 'node:path'
 
 export type DockerExecResult = { exitCode: number; stdout: string; stderr: string }
@@ -249,8 +250,25 @@ export function imageTagFromCwd(cwd: string): string {
 }
 
 // Docker container names must match [a-zA-Z0-9][a-zA-Z0-9_.-]*.
+//
+// Non-ASCII names (Korean/CJK/Cyrillic/accented Latin — the common Windows case
+// where the profile folder is a localized display name, e.g. C:\Users\사용자\봇)
+// have every out-of-charset character collapsed to a dash, so distinct folders
+// reduce to the SAME string: '봇' and '집' both → 'tc--'. The container name keys
+// hostd registration and the secrets key path, so that collision is silent
+// host-side state clobbering, not cosmetics. For any name carrying a non-ASCII
+// char we append a deterministic hash of the original (cf. makeUntitledSlug in
+// the memory plugin) to keep distinct folders distinct; surviving ASCII stays a
+// readable prefix. ASCII-only names take the original branch — never renamed.
 function sanitizeContainerName(name: string): string {
   const cleaned = name.replace(/[^a-zA-Z0-9_.-]/g, '-')
+  if (/[^\u0000-\u007f]/.test(name)) {
+    const hash = createHash('sha256').update(name).digest('hex').slice(0, 8)
+    const remnant = cleaned.replace(/-+/g, '-').replace(/^-+|-+$/g, '')
+    if (remnant === '') return `tc-${hash}`
+    const base = /^[a-zA-Z0-9]/.test(remnant) ? remnant : `tc-${remnant}`
+    return `${base}-${hash}`
+  }
   if (cleaned === '' || !/^[a-zA-Z0-9]/.test(cleaned)) {
     return `tc-${cleaned || 'agent'}`
   }

package/src/container/start.ts

@@ -671,7 +671,7 @@ export async function planStart({
   // so mounting an empty cache would only invite a confusing local_files_only
   // miss if something inside the container reached for the model anyway.
   if (agentUsesVector(cwd)) {
-    runArgs.push('-v', `${homeRoot()}/models:/opt/models:ro`)
+    runArgs.push('-v', `${join(homeRoot(), 'models')}:/opt/models:ro`)
     runArgs.push('-e', 'TYPECLAW_MODEL_CACHE=/opt/models')
   }
 

package/src/cron/consumer.ts

@@ -338,16 +338,16 @@ async function runExec(job: ExecJob, cwd: string): Promise<void> {
   const proc = Bun.spawn({
     cmd: [cmd, ...args],
     cwd,
-    stdout: 'pipe',
+    stdout: 'ignore',
     stderr: 'pipe',
     env: {
       ...process.env,
       TYPECLAW_PARENT_ORIGIN_JSON: JSON.stringify(parentOrigin),
     },
   })
-  const code = await proc.exited
+  const stderrText = new Response(proc.stderr).text()
+  const [code, stderr] = await Promise.all([proc.exited, stderrText])
   if (code !== 0) {
-    const stderr = await new Response(proc.stderr).text()
     throw new Error(`exec job ${job.id} exited with code ${code}: ${stderr.trim() || 'no stderr'}`)
   }
 }

package/src/hostd/client.ts

@@ -1,16 +1,21 @@
 import { existsSync } from 'node:fs'
+import { connect, type Socket as NetSocket } from 'node:net'
 
-import type { Socket } from 'bun'
+import { isWindows } from '@/shared'
 
 import { socketPath } from './paths'
 import type { Request, Response } from './protocol'
 
 const DEFAULT_TIMEOUT_MS = 3_000
 
-export async function isDaemonReachable(timeoutMs = DEFAULT_TIMEOUT_MS): Promise<boolean> {
-  if (!existsSync(socketPath())) return false
+export async function isDaemonReachable(
+  timeoutMs = DEFAULT_TIMEOUT_MS,
+  opts: Pick<SendOptions, 'socket'> = {},
+): Promise<boolean> {
+  const path = opts.socket ?? socketPath()
+  if (!isWindows() && !existsSync(path)) return false
   try {
-    const reply = await send({ kind: 'list' }, { timeoutMs })
+    const reply = await send({ kind: 'list' }, { timeoutMs, socket: path })
     return reply.ok
   } catch {
     return false
@@ -58,56 +63,47 @@ export async function send(req: Request, opts: SendOptions = {}): Promise<Respon
   const path = opts.socket ?? socketPath()
   const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS
 
-  type State = { buf: string; resolve: (r: Response) => void }
-  const state: State = {
-    buf: '',
-    resolve: () => {},
-  }
+  return new Promise<Response>((resolve) => {
+    let buf = ''
+    let settled = false
+    let sock: NetSocket | null = null
+    let timer: ReturnType<typeof setTimeout> | null = null
 
-  const replyPromise = new Promise<Response>((resolve) => {
-    state.resolve = resolve
-  })
+    const finish = (response: Response, destroy = false): void => {
+      if (settled) return
+      settled = true
+      if (timer) clearTimeout(timer)
+      if (sock) {
+        try {
+          if (destroy) sock.destroy()
+          else sock.end()
+        } catch {}
+      }
+      resolve(response)
+    }
 
-  let sock: Socket<State>
-  try {
-    sock = await Bun.connect<State>({
-      unix: path,
-      socket: {
-        data: (s, chunk) => {
-          s.data.buf += chunk.toString('utf8')
-          const newline = s.data.buf.indexOf('\n')
-          if (newline < 0) return
-          const line = s.data.buf.slice(0, newline)
-          try {
-            const parsed = JSON.parse(line) as Response
-            s.data.resolve(parsed)
-          } catch {
-            s.data.resolve({ ok: false, reason: 'invalid response from daemon' })
-          }
-          s.end()
-        },
-        close: () => {},
-        error: () => {
-          state.resolve({ ok: false, reason: 'socket error' })
-        },
-      },
+    timer = setTimeout(() => finish({ ok: false, reason: `daemon ack timeout after ${timeoutMs}ms` }, true), timeoutMs)
+    sock = connect(path)
+    sock.on('connect', () => {
+      try {
+        sock?.write(`${JSON.stringify(req)}\n`)
+      } catch (error) {
+        finish({ ok: false, reason: error instanceof Error ? error.message : String(error) }, true)
+      }
+    })
+    sock.on('data', (chunk: Buffer) => {
+      buf += chunk.toString('utf8')
+      const newline = buf.indexOf('\n')
+      if (newline < 0) return
+      const line = buf.slice(0, newline)
+      try {
+        finish(JSON.parse(line) as Response)
+      } catch {
+        finish({ ok: false, reason: 'invalid response from daemon' }, true)
+      }
+    })
+    sock.on('error', (error) => {
+      finish({ ok: false, reason: error instanceof Error ? error.message : String(error) }, true)
     })
-  } catch (error) {
-    return { ok: false, reason: error instanceof Error ? error.message : String(error) }
-  }
-  sock.data = state
-  sock.write(`${JSON.stringify(req)}\n`)
-
-  let timer: ReturnType<typeof setTimeout> | null = null
-  const timeoutPromise = new Promise<Response>((resolve) => {
-    timer = setTimeout(() => resolve({ ok: false, reason: `daemon ack timeout after ${timeoutMs}ms` }), timeoutMs)
   })
-  try {
-    return await Promise.race([replyPromise, timeoutPromise])
-  } finally {
-    if (timer) clearTimeout(timer)
-    try {
-      sock.end()
-    } catch {}
-  }
 }

package/src/hostd/daemon.ts

@@ -1,14 +1,14 @@
 import { existsSync } from 'node:fs'
 import { chmod, readdir, readFile, rename, unlink, writeFile } from 'node:fs/promises'
+import { createServer, type Server, type Socket as NetSocket } from 'node:net'
 import { join } from 'node:path'
 
-import type { Socket, UnixSocketListener } from 'bun'
-
 import type { PortForward } from '@/config'
 import { defaultDockerExec, type DockerExec } from '@/container'
 import type { PortForwardEvent } from '@/portbroker'
 import { kakaoChannelBlockSchema, lineChannelBlockSchema } from '@/secrets/schema'
 import { SecretsBackend } from '@/secrets/storage'
+import { isWindows } from '@/shared'
 
 import { isDaemonReachable } from './client'
 import type { KakaoRenewalCallbacks, KakaoRenewalLogEvent } from './kakao-renewal-manager'
@@ -121,8 +121,6 @@ const MAX_HTTP_REQUEST_BYTES = 64 * 1024
 // it's already in use by some other local service.
 const STABLE_HTTP_PORT = 8974
 
-type ServerState = { buf: string }
-
 function json(response: RpcResponse, status = 200): globalThis.Response {
   return new Response(JSON.stringify(response), {
     status,
@@ -208,12 +206,54 @@ function stringifyError(error: unknown): string {
   return error instanceof Error ? error.message : String(error)
 }
 
+function errorCode(error: Error): unknown {
+  const direct = error as Error & { code?: unknown; cause?: unknown }
+  if (direct.code !== undefined) return direct.code
+  if (direct.cause instanceof Error) return errorCode(direct.cause)
+  return undefined
+}
+
+async function listenOnSocket(server: Server, path: string, onWindows: boolean): Promise<void> {
+  await new Promise<void>((resolve, reject) => {
+    const onError = (error: Error): void => {
+      server.off('error', onError)
+      const code = errorCode(error)
+      if (code === 'EADDRINUSE' || (onWindows && error.message.includes('Failed to listen at'))) {
+        reject(new Error(`another typeclaw host daemon is already listening at ${path}`))
+        return
+      }
+      reject(error)
+    }
+    server.once('error', onError)
+    server.listen(path, () => {
+      server.off('error', onError)
+      resolve()
+    })
+  })
+}
+
+async function closeSocketServer(server: Server, sockets: Set<NetSocket>): Promise<void> {
+  await new Promise<void>((resolve) => {
+    try {
+      server.close(() => resolve())
+    } catch {
+      resolve()
+    }
+    for (const socket of sockets) {
+      try {
+        socket.destroy()
+      } catch {}
+    }
+  })
+}
+
 export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
   await ensureDirs()
   const path = opts.socket ?? socketPath()
+  const onWindows = isWindows()
 
-  if (existsSync(path)) {
-    if (await isDaemonReachable(500)) {
+  if (!onWindows && existsSync(path)) {
+    if (await isDaemonReachable(500, { socket: path })) {
       throw new Error(`another typeclaw host daemon is already listening at ${path}`)
     }
     try {
@@ -488,37 +528,37 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
     }
   }
 
-  const respond = (sock: Socket<ServerState>, response: RpcResponse): void => {
+  const respond = (socket: NetSocket, response: RpcResponse): void => {
     try {
-      sock.write(`${JSON.stringify(response)}\n`)
+      socket.write(`${JSON.stringify(response)}\n`)
     } catch {}
     try {
-      sock.end()
+      socket.end()
     } catch {}
   }
 
-  const handleData = (sock: Socket<ServerState>, chunk: Buffer): void => {
-    sock.data.buf += chunk.toString('utf8')
-    if (sock.data.buf.length > MAX_REQUEST_BUFFER_BYTES) {
-      respond(sock, { ok: false, reason: 'request exceeds buffer limit' })
+  const handleData = (socket: NetSocket, chunk: Buffer, state: { buf: string }): void => {
+    state.buf += chunk.toString('utf8')
+    if (state.buf.length > MAX_REQUEST_BUFFER_BYTES) {
+      respond(socket, { ok: false, reason: 'request exceeds buffer limit' })
       return
     }
-    let newline = sock.data.buf.indexOf('\n')
+    let newline = state.buf.indexOf('\n')
     while (newline >= 0) {
-      const line = sock.data.buf.slice(0, newline)
-      sock.data.buf = sock.data.buf.slice(newline + 1)
+      const line = state.buf.slice(0, newline)
+      state.buf = state.buf.slice(newline + 1)
       let req: Request
       try {
         req = JSON.parse(line) as Request
       } catch {
-        respond(sock, { ok: false, reason: 'invalid request json' })
+        respond(socket, { ok: false, reason: 'invalid request json' })
         return
       }
       void dispatch(req).then(
-        (response) => respond(sock, response),
-        (error) => respond(sock, { ok: false, reason: error instanceof Error ? error.message : String(error) }),
+        (response) => respond(socket, response),
+        (error) => respond(socket, { ok: false, reason: error instanceof Error ? error.message : String(error) }),
       )
-      newline = sock.data.buf.indexOf('\n')
+      newline = state.buf.indexOf('\n')
     }
   }
 
@@ -599,25 +639,28 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
   }
 
   // Boot-time restore: replay every persisted registration into the in-memory
-  // maps and revive portbroker for it. Runs before Bun.listen so the socket
+  // maps and revive portbroker for it. Runs before the IPC listener so the socket
   // is never accepting RPCs against a half-restored registry. A bad file
   // (parse error, schema mismatch) is logged-and-skipped — one corrupt
   // registration must not gate every other container's recovery.
   await restorePersistedRegistrations(applyRegistration, log, probeContainerAlive, removeRegistrationFile)
 
-  const listener: UnixSocketListener<ServerState> = Bun.listen<ServerState>({
-    unix: path,
-    socket: {
-      open: (sock) => {
-        sock.data = { buf: '' }
-      },
-      data: handleData,
-      close: () => {},
-      error: () => {},
-    },
+  const sockets = new Set<NetSocket>()
+  const listener = createServer((socket) => {
+    const state = { buf: '' }
+    sockets.add(socket)
+    socket.on('data', (chunk: Buffer) => handleData(socket, chunk, state))
+    socket.on('close', () => sockets.delete(socket))
+    socket.on('error', () => {})
   })
-  // Restrict socket to the owning user; ~/.typeclaw/run is also 0700.
-  await chmod(path, 0o600).catch(() => {})
+  try {
+    await listenOnSocket(listener, path, onWindows)
+  } catch (error) {
+    httpServer.stop(true)
+    throw error
+  }
+  // Restrict POSIX sockets to the owning user; ~/.typeclaw/run is also 0700.
+  if (!onWindows) await chmod(path, 0o600).catch(() => {})
   log({ kind: 'daemon-listening', socket: path })
 
   const runGc = async (): Promise<void> => {
@@ -658,9 +701,7 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
       stopped = true
       log({ kind: 'daemon-stopping' })
       clearInterval(gcTimer)
-      try {
-        listener.stop(true)
-      } catch {}
+      await closeSocketServer(listener, sockets)
       httpServer.stop(true)
       if (opts.portbroker) {
         const names = Array.from(cwds.keys())
@@ -672,9 +713,11 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
       }
       cwds.clear()
       restartTokens.clear()
-      try {
-        if (existsSync(path)) await unlink(path)
-      } catch {}
+      if (!onWindows) {
+        try {
+          if (existsSync(path)) await unlink(path)
+        } catch {}
+      }
     },
   }
   return daemonHandle