voratiq 0.1.0-beta.23 → 0.1.0-beta.25

package/README.md

@@ -15,7 +15,7 @@ npm install -g voratiq
 
 - Node 20+
 - git
-- 1+ AI coding agent (Claude [>=2.1.111](https://github.com/anthropics/claude-code?tab=readme-ov-file#get-started), Codex [>=0.107.0](https://github.com/openai/codex?tab=readme-ov-file#quickstart), or Gemini [>=0.31.0](https://github.com/google-gemini/gemini-cli?tab=readme-ov-file#quick-install))
+- 1+ AI coding agent (Claude [>=2.1.111](https://github.com/anthropics/claude-code?tab=readme-ov-file#get-started), Codex [>=0.122.0](https://github.com/openai/codex?tab=readme-ov-file#quickstart), or Gemini [>=0.31.0](https://github.com/google-gemini/gemini-cli?tab=readme-ov-file#quick-install))
 - macOS: `ripgrep`
 - Linux (Debian/Ubuntu): `bubblewrap`, `socat`, `ripgrep`
 

package/dist/agents/runtime/harness.js

@@ -8,7 +8,7 @@ import { captureAgentChatArtifacts } from "./chat.js";
 import { AgentRuntimeError, AgentRuntimeProcessError, AgentRuntimeSandboxError, } from "./errors.js";
 import { configureSandboxSettings, runAgentProcess } from "./launcher.js";
 import { writeAgentManifest } from "./manifest.js";
-import { registerStagedAuthContext, teardownRegisteredAuthContext, } from "./registry.js";
+import { registerSessionProcess, registerStagedAuthContext, teardownRegisteredAuthContext, unregisterSessionProcess, } from "./registry.js";
 import { DEFAULT_DENIAL_BACKOFF } from "./sandbox.js";
 export async function runSandboxedAgent(input) {
     const { root, agent, prompt, environment, paths, sandboxStageId = "run", sessionId, sandboxProviderId, sandboxPolicyOverrides, extraWriteProtectedPaths, extraReadProtectedPaths, captureChat = true, teardownAuthOnExit = true, onWatchdogTrigger, } = input;
@@ -25,6 +25,7 @@ export async function runSandboxedAgent(input) {
         prompt,
     });
     let authContext;
+    let spawnedProcess;
     try {
         const staged = await stageAgentAuth({
             agent,
@@ -71,6 +72,10 @@ export async function runSandboxedAgent(input) {
             providerId,
             denialBackoff,
             onWatchdogTrigger,
+            onSpawnedProcess: (child) => {
+                spawnedProcess = child;
+                registerSessionProcess(sessionId, child);
+            },
         });
         const chat = captureChat
             ? await captureAgentChatArtifacts({
@@ -96,6 +101,10 @@ export async function runSandboxedAgent(input) {
         throw new AgentRuntimeProcessError(error instanceof Error ? error.message : toErrorMessage(error));
     }
     finally {
+        if (spawnedProcess &&
+            (spawnedProcess.exitCode !== null || spawnedProcess.signalCode !== null)) {
+            unregisterSessionProcess(sessionId, spawnedProcess);
+        }
         await rm(promptPath, { force: true }).catch(() => { });
         if (teardownAuthOnExit || !sessionId) {
             await teardownRegisteredAuthContext(sessionId ?? "runtime", authContext).catch(() => { });

package/dist/agents/runtime/launcher.d.ts

@@ -1,3 +1,4 @@
+import type { ChildProcess } from "node:child_process";
 import type { DenialBackoffConfig } from "../../configs/sandbox/types.js";
 import type { WatchdogMetadata } from "../../domain/run/model/types.js";
 import type { SandboxStageId } from "./policy.js";
@@ -16,6 +17,7 @@ export interface AgentProcessOptions {
     providerId?: string;
     /** Callback fired immediately when watchdog triggers, before process exits. */
     onWatchdogTrigger?: (trigger: WatchdogTrigger, reason: string, failFast?: SandboxFailFastInfo) => void;
+    onSpawnedProcess?: (child: ChildProcess) => void;
 }
 export interface AgentProcessResult {
     exitCode: number;

package/dist/agents/runtime/launcher.js

@@ -50,7 +50,7 @@ async function defaultResolveRunInvocation(context) {
     return { command, args };
 }
 export async function runAgentProcess(options) {
-    const { runtimeManifestPath, agentRoot, stdoutPath, stderrPath, sandboxSettingsPath, denialBackoff, resolveRunInvocation, providerId = "", onWatchdogTrigger, } = options;
+    const { runtimeManifestPath, agentRoot, stdoutPath, stderrPath, sandboxSettingsPath, denialBackoff, resolveRunInvocation, providerId = "", onWatchdogTrigger, onSpawnedProcess, } = options;
     const stdoutStream = createWriteStream(stdoutPath, { flags: "w" });
     const stderrStream = createWriteStream(stderrPath, { flags: "w" });
     const shimEntryPath = resolveShimEntryPath();
@@ -87,6 +87,7 @@ export async function runAgentProcess(options) {
             stderr: { writable: stderrStream },
             detached: true,
             onSpawn: (child) => {
+                onSpawnedProcess?.(child);
                 watchdogController = createWatchdog(child, stderrStream, {
                     providerId,
                     onWatchdogTrigger,

package/dist/agents/runtime/operator-access.d.ts

@@ -0,0 +1,68 @@
+export declare const SANDBOX_STAGE_IDS: readonly ["spec", "run", "reduce", "verify", "message"];
+export type SandboxStageId = (typeof SANDBOX_STAGE_IDS)[number];
+export type SandboxGitAccessLevel = "deny-read" | "deny-read-write";
+export type SandboxReadRoot = "repo-root" | "workspace-root";
+export type SandboxWriteRoot = "workspace-root";
+export type OperatorAccessProtectedOperatorDirKey = "spec-dir" | "run-dir" | "reduce-dir" | "verify-dir" | "message-dir";
+export type OperatorAccessProtectedMetadataPathKey = "run-index" | "run-history-lock";
+export type ReadonlyWorkspaceMountKey = "context" | "inputs" | "reference_repo";
+export interface OperatorAccessProfile {
+    readonly readRoot: SandboxReadRoot;
+    readonly writeRoot: SandboxWriteRoot;
+    readonly gitAccess: SandboxGitAccessLevel;
+    readonly protectedOperatorDirs: readonly OperatorAccessProtectedOperatorDirKey[];
+    readonly protectedMetadataPaths: readonly OperatorAccessProtectedMetadataPathKey[];
+    readonly restrictRepositoryReads: boolean;
+    readonly readonlyWorkspaceMounts: readonly ReadonlyWorkspaceMountKey[];
+}
+export declare const OPERATOR_ACCESS_PROFILES: {
+    readonly spec: {
+        readonly readRoot: "repo-root";
+        readonly writeRoot: "workspace-root";
+        readonly gitAccess: "deny-read";
+        readonly protectedOperatorDirs: readonly ["run-dir", "reduce-dir", "verify-dir", "message-dir"];
+        readonly protectedMetadataPaths: readonly [];
+        readonly restrictRepositoryReads: false;
+        readonly readonlyWorkspaceMounts: readonly [];
+    };
+    readonly run: {
+        readonly readRoot: "workspace-root";
+        readonly writeRoot: "workspace-root";
+        readonly gitAccess: "deny-read-write";
+        readonly protectedOperatorDirs: readonly ["spec-dir", "reduce-dir", "verify-dir", "message-dir"];
+        readonly protectedMetadataPaths: readonly ["run-index", "run-history-lock"];
+        readonly restrictRepositoryReads: true;
+        readonly readonlyWorkspaceMounts: readonly [];
+    };
+    readonly reduce: {
+        readonly readRoot: "workspace-root";
+        readonly writeRoot: "workspace-root";
+        readonly gitAccess: "deny-read";
+        readonly protectedOperatorDirs: readonly ["spec-dir", "run-dir", "verify-dir", "message-dir"];
+        readonly protectedMetadataPaths: readonly [];
+        readonly restrictRepositoryReads: true;
+        readonly readonlyWorkspaceMounts: readonly [];
+    };
+    readonly verify: {
+        readonly readRoot: "workspace-root";
+        readonly writeRoot: "workspace-root";
+        readonly gitAccess: "deny-read";
+        readonly protectedOperatorDirs: readonly ["spec-dir", "run-dir", "reduce-dir", "message-dir"];
+        readonly protectedMetadataPaths: readonly [];
+        readonly restrictRepositoryReads: true;
+        readonly readonlyWorkspaceMounts: readonly ["context", "inputs", "reference_repo"];
+    };
+    readonly message: {
+        readonly readRoot: "repo-root";
+        readonly writeRoot: "workspace-root";
+        readonly gitAccess: "deny-read";
+        readonly protectedOperatorDirs: readonly ["spec-dir", "run-dir", "reduce-dir", "verify-dir"];
+        readonly protectedMetadataPaths: readonly [];
+        readonly restrictRepositoryReads: false;
+        readonly readonlyWorkspaceMounts: readonly [];
+    };
+};
+export declare function getOperatorAccessProfile(stageId: SandboxStageId): OperatorAccessProfile;
+export declare function resolveProtectedOperatorDir(root: string, key: OperatorAccessProtectedOperatorDirKey): string;
+export declare function resolveProtectedMetadataPath(root: string, key: OperatorAccessProtectedMetadataPathKey): string;
+export declare function resolveRepositoryGitPath(root: string): string;

package/dist/agents/runtime/operator-access.js

@@ -0,0 +1,95 @@
+import { resolve as resolveAbsolute } from "node:path";
+import { VORATIQ_HISTORY_LOCK_FILENAME, VORATIQ_MESSAGE_DIR, VORATIQ_REDUCTION_DIR, VORATIQ_RUN_DIR, VORATIQ_RUN_FILE, VORATIQ_SPEC_DIR, VORATIQ_VERIFICATION_DIR, } from "../../workspace/constants.js";
+import { resolveWorkspacePath } from "../../workspace/path-resolvers.js";
+export const SANDBOX_STAGE_IDS = [
+    "spec",
+    "run",
+    "reduce",
+    "verify",
+    "message",
+];
+export const OPERATOR_ACCESS_PROFILES = {
+    spec: {
+        readRoot: "repo-root",
+        writeRoot: "workspace-root",
+        gitAccess: "deny-read",
+        protectedOperatorDirs: [
+            "run-dir",
+            "reduce-dir",
+            "verify-dir",
+            "message-dir",
+        ],
+        protectedMetadataPaths: [],
+        restrictRepositoryReads: false,
+        readonlyWorkspaceMounts: [],
+    },
+    run: {
+        readRoot: "workspace-root",
+        writeRoot: "workspace-root",
+        gitAccess: "deny-read-write",
+        protectedOperatorDirs: [
+            "spec-dir",
+            "reduce-dir",
+            "verify-dir",
+            "message-dir",
+        ],
+        protectedMetadataPaths: ["run-index", "run-history-lock"],
+        restrictRepositoryReads: true,
+        readonlyWorkspaceMounts: [],
+    },
+    reduce: {
+        readRoot: "workspace-root",
+        writeRoot: "workspace-root",
+        gitAccess: "deny-read",
+        protectedOperatorDirs: ["spec-dir", "run-dir", "verify-dir", "message-dir"],
+        protectedMetadataPaths: [],
+        restrictRepositoryReads: true,
+        readonlyWorkspaceMounts: [],
+    },
+    verify: {
+        readRoot: "workspace-root",
+        writeRoot: "workspace-root",
+        gitAccess: "deny-read",
+        protectedOperatorDirs: ["spec-dir", "run-dir", "reduce-dir", "message-dir"],
+        protectedMetadataPaths: [],
+        restrictRepositoryReads: true,
+        readonlyWorkspaceMounts: ["context", "inputs", "reference_repo"],
+    },
+    message: {
+        readRoot: "repo-root",
+        writeRoot: "workspace-root",
+        gitAccess: "deny-read",
+        protectedOperatorDirs: ["spec-dir", "run-dir", "reduce-dir", "verify-dir"],
+        protectedMetadataPaths: [],
+        restrictRepositoryReads: false,
+        readonlyWorkspaceMounts: [],
+    },
+};
+export function getOperatorAccessProfile(stageId) {
+    return OPERATOR_ACCESS_PROFILES[stageId];
+}
+export function resolveProtectedOperatorDir(root, key) {
+    switch (key) {
+        case "spec-dir":
+            return resolveWorkspacePath(root, VORATIQ_SPEC_DIR);
+        case "run-dir":
+            return resolveWorkspacePath(root, VORATIQ_RUN_DIR);
+        case "reduce-dir":
+            return resolveWorkspacePath(root, VORATIQ_REDUCTION_DIR);
+        case "verify-dir":
+            return resolveWorkspacePath(root, VORATIQ_VERIFICATION_DIR);
+        case "message-dir":
+            return resolveWorkspacePath(root, VORATIQ_MESSAGE_DIR);
+    }
+}
+export function resolveProtectedMetadataPath(root, key) {
+    switch (key) {
+        case "run-index":
+            return resolveWorkspacePath(root, VORATIQ_RUN_FILE);
+        case "run-history-lock":
+            return resolveWorkspacePath(root, VORATIQ_RUN_DIR, VORATIQ_HISTORY_LOCK_FILENAME);
+    }
+}
+export function resolveRepositoryGitPath(root) {
+    return resolveAbsolute(root, ".git");
+}

package/dist/agents/runtime/policy.d.ts

@@ -1,6 +1,7 @@
 import type { SandboxFilesystemConfig, SandboxNetworkConfig } from "../../configs/sandbox/types.js";
+import { type SandboxStageId } from "./operator-access.js";
 import type { SandboxPolicyOverrides } from "./types.js";
-export type SandboxStageId = "spec" | "run" | "reduce" | "verify" | "message";
+export type { SandboxStageId } from "./operator-access.js";
 export interface BuildSandboxPolicyInput {
     stageId: SandboxStageId;
     root: string;

package/dist/agents/runtime/policy.js

@@ -1,6 +1,7 @@
 import { isAbsolute, relative, resolve as resolveAbsolute } from "node:path";
-import { VORATIQ_AGENTS_FILE, VORATIQ_ENVIRONMENT_FILE, VORATIQ_HISTORY_LOCK_FILENAME, VORATIQ_ORCHESTRATION_FILE, VORATIQ_REDUCTION_DIR, VORATIQ_RUN_DIR, VORATIQ_RUN_FILE, VORATIQ_SANDBOX_FILE, VORATIQ_SPEC_DIR, VORATIQ_VERIFICATION_DIR, } from "../../workspace/constants.js";
+import { VORATIQ_AGENTS_FILE, VORATIQ_ENVIRONMENT_FILE, VORATIQ_ORCHESTRATION_FILE, VORATIQ_SANDBOX_FILE, } from "../../workspace/constants.js";
 import { resolveWorkspacePath } from "../../workspace/path-resolvers.js";
+import { getOperatorAccessProfile, resolveProtectedMetadataPath, resolveProtectedOperatorDir, resolveRepositoryGitPath, } from "./operator-access.js";
 export function buildSandboxPolicy(input) {
     const { stageId, root, workspacePath, sandboxHomePath, sandboxSettingsPath, runtimePath, artifactsPath, repoRootPath, providerFilesystem, providerNetwork, policyOverrides, stageDenyWritePaths = [], stageDenyReadPaths = [], } = input;
     const baseline = buildBaselineFilesystemPolicy({
@@ -116,55 +117,27 @@ function buildBaselineFilesystemPolicy(options) {
         resolveWorkspacePath(root, VORATIQ_ORCHESTRATION_FILE),
         resolveWorkspacePath(root, VORATIQ_SANDBOX_FILE),
     ];
-    const stageRoots = resolveStageRoots(stageId, root);
+    const stagePaths = resolveStageProtectedPaths(stageId, root);
     // Default deny rules stay symmetric; read-only divergences are explicit.
-    const symmetricDeny = [...commonSensitivePaths, ...stageRoots.symmetric];
+    const symmetricDeny = [...commonSensitivePaths, ...stagePaths.symmetric];
     return {
         allowWrite: [],
-        denyRead: [...symmetricDeny, ...stageRoots.readOnly],
+        denyRead: [...symmetricDeny, ...stagePaths.readOnly],
         denyWrite: [...symmetricDeny],
     };
 }
-function resolveStageRoots(stageId, root) {
-    if (stageId === "run") {
-        return {
-            symmetric: [
-                resolveAbsolute(root, ".git"),
-                resolveWorkspacePath(root, VORATIQ_RUN_FILE),
-                resolveWorkspacePath(root, VORATIQ_RUN_DIR, VORATIQ_HISTORY_LOCK_FILENAME),
-                resolveWorkspacePath(root, VORATIQ_VERIFICATION_DIR),
-            ],
-            readOnly: [],
-        };
-    }
-    if (stageId === "spec") {
-        return {
-            symmetric: [
-                resolveWorkspacePath(root, VORATIQ_RUN_DIR),
-                resolveWorkspacePath(root, VORATIQ_VERIFICATION_DIR),
-                resolveWorkspacePath(root, VORATIQ_REDUCTION_DIR),
-            ],
-            readOnly: [],
-        };
-    }
-    if (stageId === "verify") {
-        return {
-            symmetric: [
-                resolveWorkspacePath(root, VORATIQ_RUN_DIR),
-                resolveWorkspacePath(root, VORATIQ_SPEC_DIR),
-                resolveWorkspacePath(root, VORATIQ_REDUCTION_DIR),
-            ],
-            // Verification agents should never inspect repository metadata during
-            // blinded review.
-            readOnly: [resolveAbsolute(root, ".git")],
-        };
+function resolveStageProtectedPaths(stageId, root) {
+    const profile = getOperatorAccessProfile(stageId);
+    const symmetric = [
+        ...profile.protectedOperatorDirs.map((key) => resolveProtectedOperatorDir(root, key)),
+        ...profile.protectedMetadataPaths.map((key) => resolveProtectedMetadataPath(root, key)),
+    ];
+    if (profile.gitAccess === "deny-read-write") {
+        symmetric.unshift(resolveRepositoryGitPath(root));
     }
     return {
-        symmetric: [
-            resolveWorkspacePath(root, VORATIQ_RUN_DIR),
-            resolveWorkspacePath(root, VORATIQ_SPEC_DIR),
-        ],
-        readOnly: [resolveAbsolute(root, ".git")],
+        symmetric,
+        readOnly: profile.gitAccess === "deny-read" ? [resolveRepositoryGitPath(root)] : [],
     };
 }
 function resolveFilesystemOverrides(overrides, workspacePath) {

package/dist/agents/runtime/registry.d.ts

@@ -1,4 +1,8 @@
+import type { ChildProcess } from "node:child_process";
 import type { StagedAuthContext } from "./auth.js";
 export declare function registerStagedAuthContext(sessionId: string, context: StagedAuthContext): void;
 export declare function teardownRegisteredAuthContext(sessionId: string, context: StagedAuthContext | undefined): Promise<void>;
 export declare function teardownSessionAuth(sessionId: string | undefined): Promise<void>;
+export declare function registerSessionProcess(sessionId: string | undefined, child: ChildProcess | undefined): void;
+export declare function unregisterSessionProcess(sessionId: string | undefined, child: ChildProcess | undefined): void;
+export declare function terminateSessionProcesses(sessionId: string | undefined): Promise<void>;

package/dist/agents/runtime/registry.js

@@ -1,5 +1,7 @@
 import { teardownAuthContext } from "./auth.js";
 const registry = new Map();
+const processRegistry = new Map();
+const PROCESS_EXIT_WAIT_MS = 2_000;
 export function registerStagedAuthContext(sessionId, context) {
     const existing = registry.get(sessionId);
     if (existing) {
@@ -42,6 +44,48 @@ export async function teardownSessionAuth(sessionId) {
         throw new AggregateError(failures, `Failed to teardown ${failures.length} auth contexts for session ${sessionId}`);
     }
 }
+export function registerSessionProcess(sessionId, child) {
+    if (!sessionId || !child || child.pid === undefined) {
+        return;
+    }
+    const existing = processRegistry.get(sessionId);
+    if (existing) {
+        existing.add(child);
+        return;
+    }
+    processRegistry.set(sessionId, new Set([child]));
+}
+export function unregisterSessionProcess(sessionId, child) {
+    if (!sessionId || !child) {
+        return;
+    }
+    removeProcess(sessionId, child);
+}
+export async function terminateSessionProcesses(sessionId) {
+    if (!sessionId) {
+        return;
+    }
+    const children = processRegistry.get(sessionId);
+    if (!children || children.size === 0) {
+        processRegistry.delete(sessionId);
+        return;
+    }
+    const failures = [];
+    await Promise.all([...children].map(async (child) => {
+        try {
+            await terminateRegisteredProcess(sessionId, child);
+        }
+        catch (error) {
+            failures.push(error instanceof Error ? error : new Error(String(error)));
+        }
+    }));
+    if (failures.length === 1) {
+        throw failures[0];
+    }
+    if (failures.length > 1) {
+        throw new AggregateError(failures, `Failed to terminate ${failures.length} session processes for ${sessionId}`);
+    }
+}
 function removeContext(sessionId, context) {
     const contexts = registry.get(sessionId);
     if (!contexts) {
@@ -52,3 +96,91 @@ function removeContext(sessionId, context) {
         registry.delete(sessionId);
     }
 }
+function removeProcess(sessionId, child) {
+    const children = processRegistry.get(sessionId);
+    if (!children) {
+        return;
+    }
+    children.delete(child);
+    if (children.size === 0) {
+        processRegistry.delete(sessionId);
+    }
+}
+async function terminateRegisteredProcess(sessionId, child) {
+    if (hasExited(child) || child.pid === undefined) {
+        removeProcess(sessionId, child);
+        return;
+    }
+    if (tryTerminateProcessGroup(child.pid, "SIGTERM")) {
+        const exitedOnTerm = await waitForProcessExit(child, PROCESS_EXIT_WAIT_MS);
+        if (exitedOnTerm) {
+            removeProcess(sessionId, child);
+            return;
+        }
+    }
+    else {
+        removeProcess(sessionId, child);
+        return;
+    }
+    if (tryTerminateProcessGroup(child.pid, "SIGKILL")) {
+        const exitedOnKill = await waitForProcessExit(child, PROCESS_EXIT_WAIT_MS);
+        if (exitedOnKill) {
+            removeProcess(sessionId, child);
+            return;
+        }
+    }
+    else {
+        removeProcess(sessionId, child);
+        return;
+    }
+    throw new Error(`Detached agent process ${child.pid} did not exit after SIGTERM and SIGKILL.`);
+}
+function hasExited(child) {
+    return child.exitCode !== null || child.signalCode !== null;
+}
+function tryTerminateProcessGroup(pid, signal) {
+    try {
+        process.kill(-pid, signal);
+        return true;
+    }
+    catch {
+        try {
+            process.kill(pid, signal);
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+async function waitForProcessExit(child, timeoutMs) {
+    if (hasExited(child)) {
+        return true;
+    }
+    if (typeof child.once !== "function") {
+        return false;
+    }
+    return await new Promise((resolve) => {
+        let settled = false;
+        const finish = (exited) => {
+            if (settled) {
+                return;
+            }
+            settled = true;
+            if (typeof child.removeListener === "function") {
+                child.removeListener("exit", handleExit);
+                child.removeListener("close", handleExit);
+            }
+            clearTimeout(timer);
+            resolve(exited);
+        };
+        const handleExit = () => {
+            finish(true);
+        };
+        const timer = setTimeout(() => {
+            finish(hasExited(child));
+        }, timeoutMs);
+        child.once("exit", handleExit);
+        child.once("close", handleExit);
+    });
+}

package/dist/bin.js

@@ -8,24 +8,68 @@ const SIGNAL_EXIT_CODES = {
     SIGINT: 130,
     SIGTERM: 143,
 };
+const PROCESS_GUARD_SIGNALS = ["SIGHUP", "SIGINT", "SIGTERM"];
 let activeJsonEnvelopeOperator;
 let processGuardsInstalled = false;
+let activeShutdownState;
 function installProcessGuards() {
     if (processGuardsInstalled) {
         return;
     }
     processGuardsInstalled = true;
-    for (const signal of ["SIGHUP", "SIGINT", "SIGTERM"]) {
-        process.once(signal, () => {
-            void handleSignal(signal);
-        });
+    for (const signal of PROCESS_GUARD_SIGNALS) {
+        installSignalGuard(signal);
     }
     process.on("uncaughtException", (error) => {
-        void handleFatalError("uncaught exception", error);
+        void beginFatalShutdown("uncaught exception", error);
     });
     process.on("unhandledRejection", (reason) => {
-        void handleFatalError("unhandled rejection", reason);
+        void beginFatalShutdown("unhandled rejection", reason);
+    });
+}
+function installSignalGuard(signal) {
+    const handler = () => {
+        // Re-arm the listener before awaiting teardown so repeated interrupts stay
+        // inside the coordinated abort path instead of falling through to the
+        // process default signal exit.
+        process.once(signal, handler);
+        void beginSignalShutdown(signal);
+    };
+    process.once(signal, handler);
+}
+async function beginFatalShutdown(context, error) {
+    if (activeShutdownState) {
+        if (activeShutdownState.kind === "signal") {
+            return;
+        }
+        await activeShutdownState.promise;
+        return;
+    }
+    const promise = handleFatalError(context, error).finally(() => {
+        if (activeShutdownState?.promise === promise) {
+            activeShutdownState = undefined;
+        }
     });
+    activeShutdownState = { kind: "fatal", promise };
+    await promise;
+}
+async function beginSignalShutdown(signal) {
+    if (activeShutdownState) {
+        if (activeShutdownState.kind === "signal") {
+            process.exitCode = activeShutdownState.exitCode;
+            await activeShutdownState.promise;
+        }
+        return;
+    }
+    const exitCode = SIGNAL_EXIT_CODES[signal] ?? 1;
+    process.exitCode = exitCode;
+    const promise = handleSignal(signal).finally(() => {
+        if (activeShutdownState?.promise === promise) {
+            activeShutdownState = undefined;
+        }
+    });
+    activeShutdownState = { kind: "signal", exitCode, promise };
+    await promise;
 }
 async function handleFatalError(context, error) {
     await terminateActiveSessionsSafe("failed", context);
@@ -108,73 +152,9 @@ async function flushPendingHistory() {
         console.warn(`[voratiq] Failed to flush interactive history buffers: ${error.message}`);
     }
 }
-async function terminateActiveRunSafe(status, context) {
-    try {
-        const { terminateActiveRun } = await import("./commands/run/lifecycle.js");
-        await terminateActiveRun(status);
-        return null;
-    }
-    catch (error) {
-        const { toErrorMessage } = await import("./utils/errors.js");
-        const normalizedError = error instanceof Error ? error : new Error(toErrorMessage(error));
-        console.error(`[voratiq] Failed to teardown run after ${context}: ${toErrorMessage(error)}`);
-        return normalizedError;
-    }
-}
-async function terminateActiveVerificationSafe(status, context) {
-    try {
-        const { terminateActiveVerification } = await import("./commands/verify/lifecycle.js");
-        await terminateActiveVerification(status);
-        return null;
-    }
-    catch (error) {
-        const { toErrorMessage } = await import("./utils/errors.js");
-        const normalizedError = error instanceof Error ? error : new Error(toErrorMessage(error));
-        console.error(`[voratiq] Failed to teardown verification after ${context}: ${toErrorMessage(error)}`);
-        return normalizedError;
-    }
-}
-async function terminateActiveInteractiveSafe(status, context) {
-    try {
-        const { terminateActiveInteractive } = await import("./commands/interactive/lifecycle.js");
-        await terminateActiveInteractive(status, context);
-        return null;
-    }
-    catch (error) {
-        const { toErrorMessage } = await import("./utils/errors.js");
-        const normalizedError = error instanceof Error ? error : new Error(toErrorMessage(error));
-        console.error(`[voratiq] Failed to teardown interactive session after ${context}: ${toErrorMessage(error)}`);
-        return normalizedError;
-    }
-}
-async function terminateActiveMessageSafe(status, context) {
-    try {
-        const { terminateActiveMessage } = await import("./commands/message/lifecycle.js");
-        await terminateActiveMessage(status);
-        return null;
-    }
-    catch (error) {
-        const { toErrorMessage } = await import("./utils/errors.js");
-        const normalizedError = error instanceof Error ? error : new Error(toErrorMessage(error));
-        console.error(`[voratiq] Failed to teardown message after ${context}: ${toErrorMessage(error)}`);
-        return normalizedError;
-    }
-}
 async function terminateActiveSessionsSafe(status, context) {
-    const runError = await terminateActiveRunSafe(status, context);
-    const verificationError = await terminateActiveVerificationSafe(status, context);
-    const interactiveError = await terminateActiveInteractiveSafe(status, context);
-    const messageError = await terminateActiveMessageSafe(status, context);
-    const errors = [
-        runError,
-        verificationError,
-        interactiveError,
-        messageError,
-    ].filter((error) => error instanceof Error);
-    if (errors.length > 1) {
-        return new AggregateError(errors, `Failed to teardown active sessions after ${context}`);
-    }
-    return errors[0] ?? null;
+    const { terminateRegisteredActiveSessions } = await import("./commands/shared/teardown-registry.js");
+    return await terminateRegisteredActiveSessions(status, context);
 }
 function renderRootLauncherGitGuidance(options) {
     const lines = [];
@@ -359,7 +339,6 @@ async function registerCommands(program, argv) {
         "auto",
         "apply",
         "list",
-        "prune",
         "doctor",
         "mcp",
     ]);
@@ -378,7 +357,6 @@ async function registerCommands(program, argv) {
         program.addCommand((await import("./cli/auto.js")).createAutoCommand());
         program.addCommand((await import("./cli/apply.js")).createApplyCommand());
         program.addCommand((await import("./cli/list.js")).createListCommand());
-        program.addCommand((await import("./cli/prune.js")).createPruneCommand());
         program.addCommand((await import("./cli/doctor.js")).createDoctorCommand());
         program.addCommand((await import("./cli/mcp.js")).createMcpCommand());
         return;
@@ -408,9 +386,6 @@ async function registerCommands(program, argv) {
         case "list":
             program.addCommand((await import("./cli/list.js")).createListCommand());
             break;
-        case "prune":
-            program.addCommand((await import("./cli/prune.js")).createPruneCommand());
-            break;
         case "doctor":
             program.addCommand((await import("./cli/doctor.js")).createDoctorCommand());
             break;