swarph-cli 0.9.0__tar.gz → 0.9.2__tar.gz

{swarph_cli-0.9.0/src/swarph_cli.egg-info → swarph_cli-0.9.2}/PKG-INFO

@@ -1,7 +1,7 @@
 Metadata-Version: 2.4
 Name: swarph-cli
-Version: 0.9.0
-Summary: The `swarph` binary — multi-LLM CLI + mesh-gateway integration: multi-provider spawn (claude/codex/antigravity per cell.provider, via a ProviderMembrane), cell.yaml, session import, watchdog. v0.9.0 adds `swarph mesh` (send/inbox/register with per-peer tokens) + a provider-agnostic inbox sidecar, and `assisted_memory` (git-backed durable memory: restore-on-spawn + saver loop + current-task anchor) toggled per cell.
+Version: 0.9.2
+Summary: The `swarph` binary — multi-LLM CLI + mesh-gateway integration: multi-provider spawn (claude/codex/antigravity per cell.provider via a ProviderMembrane), cell.yaml, `swarph mesh` (send/inbox/register with per-peer tokens) + inbox sidecar, `assisted_memory` (git-backed durable memory), session import, watchdog. v0.9.2 makes the watchdog deploy-safe: no false A2 when no tmux server is reachable (root-cron), and F3 uses window/session activity so active sessions are correctly detected.
 Author: Pierre Samson, Claude Opus
 License: MIT
 Project-URL: Homepage, https://github.com/darw007d/swarph-cli
@@ -25,7 +25,7 @@ Requires-Python: >=3.10
 Description-Content-Type: text/markdown
 License-File: LICENSE
 Requires-Dist: swarph-mesh>=0.5.0
-Requires-Dist: swarph-shared>=0.3.0
+Requires-Dist: swarph-shared>=0.3.1
 Requires-Dist: PyYAML>=6.0
 Provides-Extra: dev
 Requires-Dist: pytest>=7.0; extra == "dev"

{swarph_cli-0.9.0 → swarph_cli-0.9.2}/pyproject.toml

@@ -4,8 +4,8 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "swarph-cli"
-version = "0.9.0"
-description = "The `swarph` binary — multi-LLM CLI + mesh-gateway integration: multi-provider spawn (claude/codex/antigravity per cell.provider, via a ProviderMembrane), cell.yaml, session import, watchdog. v0.9.0 adds `swarph mesh` (send/inbox/register with per-peer tokens) + a provider-agnostic inbox sidecar, and `assisted_memory` (git-backed durable memory: restore-on-spawn + saver loop + current-task anchor) toggled per cell."
+version = "0.9.2"
+description = "The `swarph` binary — multi-LLM CLI + mesh-gateway integration: multi-provider spawn (claude/codex/antigravity per cell.provider via a ProviderMembrane), cell.yaml, `swarph mesh` (send/inbox/register with per-peer tokens) + inbox sidecar, `assisted_memory` (git-backed durable memory), session import, watchdog. v0.9.2 makes the watchdog deploy-safe: no false A2 when no tmux server is reachable (root-cron), and F3 uses window/session activity so active sessions are correctly detected."
 readme = "README.md"
 license = { text = "MIT" }
 requires-python = ">=3.10"
@@ -37,7 +37,10 @@ dependencies = [
     # cell.yaml-format-home RESOLVED). swarph-cli's cell.py now
     # re-exports data shapes from swarph_shared.cell + keeps file
     # I/O + sidecar + slot allocation locally.
-    "swarph-shared>=0.3.0",
+    # >=0.3.1 is load-bearing: 0.3.1 is the first release whose
+    # scrub_env_for_subprocess closes the ANTHROPIC_AUTH_TOKEN/*_BASE_URL
+    # billing-redirect class that the membrane env builders delegate to.
+    "swarph-shared>=0.3.1",
     # Phase 7 spawn — cell.yaml parser. PyYAML 6.x is the standard.
     # Stays a swarph-cli dep since file I/O is operator-tooling-layer
     # concern; swarph-shared cell module is pure-stdlib.

{swarph_cli-0.9.0 → swarph_cli-0.9.2}/src/swarph_cli/__init__.py

@@ -16,6 +16,6 @@ The architecture splits CLI from substrate so:
 
 from __future__ import annotations
 
-__version__ = "0.9.0"
+__version__ = "0.9.2"
 
 __all__ = ["__version__"]

{swarph_cli-0.9.0 → swarph_cli-0.9.2}/src/swarph_cli/commands/import_session.py

@@ -30,6 +30,7 @@ from __future__ import annotations
 import argparse
 import json
 import os
+import re
 import sys
 from datetime import datetime, timezone
 from pathlib import Path
@@ -110,20 +111,45 @@ def _detect_format(path: Path) -> Optional[str]:
     return None
 
 
+def _safe_session_filename(raw: str) -> str:
+    """Reduce an arbitrary session identifier to a SAFE basename confined to
+    the sessions dir.
+
+    The identifier may come from the parsed JSONL (``session_id``), which is
+    untrusted when importing a foreign file: an absolute value (``/etc/cron.d/
+    evil``) would make ``base / name`` discard ``base`` entirely, and ``../``
+    would escape it (adversarial-sweep path-traversal). Strip directory
+    components and whitelist the charset so the result is always a plain
+    filename inside the sessions dir.
+    """
+    # ``Path(...).name`` drops any directory components, incl a leading "/".
+    base_name = Path(str(raw)).name
+    safe = re.sub(r"[^A-Za-z0-9._-]", "_", base_name)
+    # Reject names that are empty or pure dots ("", ".", "..", ...).
+    if not safe.strip("."):
+        safe = "imported-session"
+    return safe
+
+
 def _swarph_native_path(target_session: Optional[str], result: ImportResult) -> Path:
-    """Resolve the target swarph-native session file path."""
+    """Resolve the target swarph-native session file path (path-traversal-safe)."""
     base = Path.home() / ".swarph" / "sessions"
     base.mkdir(parents=True, exist_ok=True)
-    if target_session:
-        name = target_session
-    else:
-        name = (
-            result.metadata.get("session_id")
-            or Path(result.report.source_path).stem
-        )
+    raw = target_session or (
+        result.metadata.get("session_id")
+        or Path(result.report.source_path).stem
+    )
+    name = _safe_session_filename(raw)
     if not name.endswith(".jsonl"):
         name = f"{name}.jsonl"
-    return base / name
+    out = base / name
+    # Defense in depth: the sanitized name has no separators, so this always
+    # holds — but assert the write target is a direct child of the sessions dir.
+    if out.resolve().parent != base.resolve():
+        raise ValueError(
+            f"import: refusing to write session outside {base} (got {out})"
+        )
+    return out
 
 
 def _write_swarph_native_session(

{swarph_cli-0.9.0 → swarph_cli-0.9.2}/src/swarph_cli/commands/spawn.py

@@ -42,6 +42,7 @@ from swarph_cli.cell import (
     read_starter_prompt,
     resolve_cell_path,
 )
+from swarph_shared.subprocess_env import scrub_env_for_subprocess
 
 
 _BANNER = """\
@@ -79,11 +80,13 @@ Anything after a literal `--` is passed through to the provider CLI unchanged
 """
 
 
-_CODEX_BILLING_LEAK_KEYS = (
-    "OPENAI_API_KEY",
-    "OPENAI_API_BASE",
-    "OPENAI_BASE_URL",
-    "CODEX_API_KEY",
+# Codex-specific org-scoping keys NOT covered by the shared billing denylist
+# (scrub_env_for_subprocess already strips OPENAI_API_KEY / OPENAI_API_BASE /
+# OPENAI_BASE_URL via its explicit set + *_BASE_URL/*_API_KEY suffix sweep, and
+# CODEX_API_KEY via the *_API_KEY suffix). These two route billing to a specific
+# org rather than redirect the endpoint, so they live as a codex-layer extra on
+# top of the canonical scrub.
+_CODEX_EXTRA_LEAK_KEYS = (
     "OPENAI_ORG_ID",
     "OPENAI_ORGANIZATION",
 )
@@ -323,13 +326,30 @@ def _codex_sandbox(cell: Cell) -> str:
     return sandbox
 
 
+def _claude_env() -> dict[str, str]:
+    """Subscription-billing env for an interactive ``claude`` session.
+
+    The canonical billing-redirect scrub plus the SWARPH_SPAWN marker. Without
+    this an ``ANTHROPIC_BASE_URL`` / ``ANTHROPIC_AUTH_TOKEN`` set in the parent
+    env (an identity proxy / metered relay) would be inherited by the spawned
+    ``claude`` and silently flip it off subscription auth to a metered endpoint
+    while still reporting ``cost_usd`` 0.0 — the adversarial-sweep CRIT.
+    """
+    env = scrub_env_for_subprocess()
+    env["SWARPH_SPAWN"] = "1"
+    return env
+
+
 def _agy_env() -> dict[str, str]:
-    """Return a copy of the environment scrubbed of billing credentials."""
-    env = os.environ.copy()
-    env.pop("GOOGLE_APPLICATION_CREDENTIALS", None)
-    env.pop("GOOGLE_CLOUD_PROJECT", None)
-    env.pop("VERTEX_PROJECT", None)
-    env.pop("VERTEX_LOCATION", None)
+    """Subscription-billing env for an ``agy`` (antigravity/Gemini) session.
+
+    Delegates to the shared scrub, which strips the full billing-redirect class
+    (GEMINI_API_KEY / GOOGLE_API_KEY / GEMINI_BASE_URL / GOOGLE_APPLICATION_
+    CREDENTIALS / GOOGLE_CLOUD_PROJECT / VERTEX_*) — a superset of the four GCP
+    keys this previously popped by hand.
+    """
+    env = scrub_env_for_subprocess()
+    env["SWARPH_SPAWN"] = "1"
     return env
 
 
@@ -373,11 +393,14 @@ def _build_codex_argv(cell: Cell, passthrough: list[str]) -> list[str]:
 
 
 def _scrubbed_codex_env() -> dict[str, str]:
-    env = {
-        key: value
-        for key, value in os.environ.items()
-        if key not in _CODEX_BILLING_LEAK_KEYS
-    }
+    """Subscription-billing env for a ``codex`` (GPT) session.
+
+    The shared billing-redirect scrub plus the codex-specific org-scoping keys
+    (see ``_CODEX_EXTRA_LEAK_KEYS``) that the shared denylist does not cover.
+    """
+    env = scrub_env_for_subprocess()
+    for key in _CODEX_EXTRA_LEAK_KEYS:
+        env.pop(key, None)
     env["SWARPH_SPAWN"] = "1"
     return env
 
@@ -648,14 +671,14 @@ class ClaudeMembrane(ProviderMembrane):
             print(f"swarph spawn: cannot chdir to {cell.cwd}: {exc}", file=sys.stderr)
             return 1
 
-        # v0.7 PR-C — set SWARPH_SPAWN=1 env so a SessionStart hook
-        # installed via `swarph install-hook` knows the prompt was
-        # already injected via --append-system-prompt and skips
-        # double-injection. The env propagates through execv since we
-        # don't use execve with a custom env.
-        os.environ["SWARPH_SPAWN"] = "1"
+        # Exec with the billing-redirect-scrubbed env (NOT raw inherited env) so
+        # a parent-set ANTHROPIC_BASE_URL/ANTHROPIC_AUTH_TOKEN can't silently
+        # flip the spawned claude off subscription billing. SWARPH_SPAWN=1 (set
+        # in _claude_env) tells a `swarph install-hook` SessionStart hook the
+        # prompt was already injected via --append-system-prompt, so it skips
+        # double-injection. execve carries exactly this env to the child.
         try:
-            os.execv(binary, argv)
+            os.execve(binary, argv, _claude_env())
         except OSError as exc:
             print(f"swarph spawn: exec failed: {exc}", file=sys.stderr)
             return 1
@@ -723,12 +746,10 @@ class AntigravityMembrane(ProviderMembrane):
         )
 
     def launch(self, cell: Cell, binary: str, argv: list[str]) -> int:
-        env = _agy_env()
-        os.environ.clear()
-        os.environ.update(env)
-        os.environ["SWARPH_SPAWN"] = "1"
+        # execve carries exactly the scrubbed env to the child without mutating
+        # this process's os.environ first (so a failed exec leaves us intact).
         try:
-            os.execv(binary, argv)
+            os.execve(binary, argv, _agy_env())
         except OSError as exc:
             print(f"swarph spawn: exec failed: {exc}", file=sys.stderr)
             return 1
@@ -741,6 +762,17 @@ MEMBRANES: dict[str, ProviderMembrane] = {
     "antigravity": AntigravityMembrane(),
 }
 
+# Defensive coupling: MEMBRANES must stay in lockstep with the shared provider
+# whitelist. A future VALID_PROVIDERS entry without a matching membrane would
+# otherwise surface as a raw KeyError at spawn time — fail loud at import instead.
+from swarph_shared.cell import VALID_PROVIDERS as _VALID_PROVIDERS  # noqa: E402
+
+if set(MEMBRANES) != _VALID_PROVIDERS:
+    raise RuntimeError(
+        f"MEMBRANES {sorted(MEMBRANES)} out of sync with VALID_PROVIDERS "
+        f"{sorted(_VALID_PROVIDERS)} — add the missing provider membrane."
+    )
+
 
 def run_spawn(argv: Optional[list[str]] = None) -> int:
     if argv is None:
@@ -781,7 +813,18 @@ def run_spawn(argv: Optional[list[str]] = None) -> int:
         print(f"swarph spawn: {exc}", file=sys.stderr)
         return 1
 
-    membrane = MEMBRANES[cell.provider]
+    membrane = MEMBRANES.get(cell.provider)
+    if membrane is None:
+        # Defense-in-depth: VALID_PROVIDERS (in load_cell) normally rejects
+        # unknown providers first, and _validate_routing covers the routing-field
+        # path — but a routing-less cell of an unmembraned provider would have hit
+        # a raw KeyError here. Fail clean instead (silent-failure-hunter #4).
+        print(
+            f"swarph spawn: provider {cell.provider!r} is not supported by this "
+            f"spawn membrane (have: {', '.join(sorted(MEMBRANES))}).",
+            file=sys.stderr,
+        )
+        return 1
 
     session_id: Optional[str]
     was_generated = False

{swarph_cli-0.9.0 → swarph_cli-0.9.2}/src/swarph_cli/commands/watchdog.py

@@ -358,28 +358,70 @@ def _gateway_recent_recovery_event(
     return None
 
 
+def _pid_under(pid: int, ancestors: set, _max_depth: int = 40) -> bool:
+    """Walk the PPID chain up from ``pid``; True if any ancestor is in
+    ``ancestors``. Reads ``/proc/<pid>/stat`` (Linux). The ``comm`` field can
+    contain spaces/parens, so parse PPID after the final ``)``."""
+    cur = pid
+    for _ in range(_max_depth):
+        if cur in ancestors:
+            return True
+        if cur <= 1:
+            return False
+        try:
+            with open(f"/proc/{cur}/stat", encoding="utf-8") as f:
+                data = f.read()
+            after = data[data.rfind(")") + 2:].split()
+            cur = int(after[1])  # stat field 4 (PPID): state, ppid, ...
+        except (OSError, ValueError, IndexError):
+            return False
+    return cur in ancestors
+
+
 def _process_alive(tmux_session: str) -> bool:
-    """Detect if a claude process is running inside the tmux session.
+    """Detect if a claude process is running INSIDE the named tmux session.
 
-    Returns True iff there's at least one ``claude`` process whose
-    parent is the named tmux session. Best-effort; uses pgrep+ps; falls
-    back to True (assume alive) if detection itself errors so we don't
-    fire A2 on detection-broken-system.
+    Scopes to the session's pane PIDs (and their descendants) rather than a
+    host-wide ``pgrep claude``: on a multi-session host, an unrelated cell's
+    claude would otherwise mask THIS session's death and suppress the A2 alert
+    (adversarial-sweep MED). Best-effort; falls back to True (assume alive) on
+    detection error so a broken detector never false-fires A2.
     """
     try:
-        result = subprocess.run(
+        panes = subprocess.run(
+            ["tmux", "list-panes", "-t", tmux_session, "-F", "#{pane_pid}"],
+            capture_output=True, text=True, timeout=5,
+        )
+        if panes.returncode != 0:
+            # list-panes fails for TWO very different reasons:
+            #   (a) the tmux server is reachable but this session is genuinely
+            #       gone → really dead → False (let A2 fire).
+            #   (b) there is no tmux server reachable from THIS uid (e.g. the
+            #       watchdog runs as root while sessions live under ubuntu's
+            #       /tmp/tmux-1000 socket) → we simply CAN'T determine liveness
+            #       via tmux → must NOT false-fire A2.
+            # Distinguish by probing the server itself.
+            server = subprocess.run(
+                ["tmux", "list-sessions"],
+                capture_output=True, text=True, timeout=5,
+            )
+            if server.returncode != 0:
+                return True  # no reachable tmux server here → can't tell → assume alive
+            return False     # server reachable, session absent → genuinely dead
+        pane_pids = {int(p) for p in panes.stdout.split() if p.strip().isdigit()}
+        if not pane_pids:
+            return True  # ambiguous (session with no pane pids) → don't false-fire
+
+        pg = subprocess.run(
             ["pgrep", "-f", "claude"],
             capture_output=True, text=True, timeout=5,
         )
-        if result.returncode != 0:
-            return False  # no claude process anywhere
-        # At least one claude found — return True.
-        # We don't enforce tmux-parentage here since pgrep matching by
-        # tmux-pane-process is fragile across tmux versions; "any claude"
-        # is sufficient for FALLBACK signal per mother #1021 AND-gate
-        # design (cursor staleness is the PRIMARY).
-        return bool(result.stdout.strip())
-    except (subprocess.TimeoutExpired, FileNotFoundError, OSError):
+        if pg.returncode != 0:
+            return False  # no claude process anywhere on the host
+        claude_pids = [int(p) for p in pg.stdout.split() if p.strip().isdigit()]
+        # Alive only if a claude process is a descendant of THIS session's panes.
+        return any(_pid_under(cpid, pane_pids) for cpid in claude_pids)
+    except (subprocess.TimeoutExpired, FileNotFoundError, OSError, ValueError):
         return True  # assume alive on detection error
 
 
@@ -406,34 +448,39 @@ def _tmux_send_keys(name: str, text: str) -> bool:
 
 
 def _pane_activity_age_sec(name: str) -> Optional[int]:
-    """Age in seconds since the tmux pane's last activity event.
-
-    Reads tmux's `#{pane_activity}` format variable, which returns a unix
-    epoch timestamp of the most recent activity in the active pane of the
-    target session. Returns None if tmux is missing, the session doesn't
-    exist, or tmux's output isn't parseable as an integer epoch.
-
-    Used by F3 (mother #1087 / drop-on-meta-edge proposal) as a third
-    AND-gate input to distinguish (a) session genuinely stalled from (b)
-    session actively working in a long bash block. cursor-mtime alone
-    measures "time since last turn-end" not "time since last activity";
-    pane_activity covers the mid-turn-active case.
-
-    Returns None on detection error so the caller can fall through to
-    the legacy AND-gate behavior — F3 is a strengthening of the gate,
-    not a replacement of it.
+    """Age in seconds since the target session's most recent tmux activity.
+
+    Reads tmux activity-timestamp format vars and uses the MOST RECENT
+    (max epoch) across pane / window / session. ``#{pane_activity}`` is only
+    populated when monitor-activity is on (empty on a default tmux 3.x), so
+    relying on it alone made F3 a no-op — it returned None and never
+    suppressed A1 for a genuinely-active session (adversarial-deploy finding
+    2026-06-02). ``#{window_activity}`` / ``#{session_activity}`` are tracked
+    unconditionally and give the same "is this session alive right now" signal.
+
+    Used by F3 (mother #1087) as a third AND-gate input to distinguish (a) a
+    session genuinely stalled from (b) one actively working in a long bash
+    block where cursor-mtime (last turn-end) is stale but the session is alive.
+
+    Returns None only when NO activity timestamp is parseable (tmux missing /
+    session absent), so the caller falls through to the legacy AND-gate.
     """
     try:
         result = subprocess.run(
-            ["tmux", "display", "-p", "-t", name, "#{pane_activity}"],
+            ["tmux", "display", "-p", "-t", name,
+             "#{pane_activity}|#{window_activity}|#{session_activity}"],
             capture_output=True, text=True, timeout=5,
         )
         if result.returncode != 0:
             return None
-        out = result.stdout.strip()
-        if not out:
+        epochs = []
+        for tok in result.stdout.strip().split("|"):
+            tok = tok.strip()
+            if tok.isdigit():
+                epochs.append(int(tok))
+        if not epochs:
             return None
-        return max(0, _now() - int(out))
+        return max(0, _now() - max(epochs))
     except (subprocess.TimeoutExpired, FileNotFoundError, OSError, ValueError):
         return None
 

{swarph_cli-0.9.0 → swarph_cli-0.9.2/src/swarph_cli.egg-info}/PKG-INFO

@@ -1,7 +1,7 @@
 Metadata-Version: 2.4
 Name: swarph-cli
-Version: 0.9.0
-Summary: The `swarph` binary — multi-LLM CLI + mesh-gateway integration: multi-provider spawn (claude/codex/antigravity per cell.provider, via a ProviderMembrane), cell.yaml, session import, watchdog. v0.9.0 adds `swarph mesh` (send/inbox/register with per-peer tokens) + a provider-agnostic inbox sidecar, and `assisted_memory` (git-backed durable memory: restore-on-spawn + saver loop + current-task anchor) toggled per cell.
+Version: 0.9.2
+Summary: The `swarph` binary — multi-LLM CLI + mesh-gateway integration: multi-provider spawn (claude/codex/antigravity per cell.provider via a ProviderMembrane), cell.yaml, `swarph mesh` (send/inbox/register with per-peer tokens) + inbox sidecar, `assisted_memory` (git-backed durable memory), session import, watchdog. v0.9.2 makes the watchdog deploy-safe: no false A2 when no tmux server is reachable (root-cron), and F3 uses window/session activity so active sessions are correctly detected.
 Author: Pierre Samson, Claude Opus
 License: MIT
 Project-URL: Homepage, https://github.com/darw007d/swarph-cli
@@ -25,7 +25,7 @@ Requires-Python: >=3.10
 Description-Content-Type: text/markdown
 License-File: LICENSE
 Requires-Dist: swarph-mesh>=0.5.0
-Requires-Dist: swarph-shared>=0.3.0
+Requires-Dist: swarph-shared>=0.3.1
 Requires-Dist: PyYAML>=6.0
 Provides-Extra: dev
 Requires-Dist: pytest>=7.0; extra == "dev"

{swarph_cli-0.9.0 → swarph_cli-0.9.2}/src/swarph_cli.egg-info/requires.txt

@@ -1,5 +1,5 @@
 swarph-mesh>=0.5.0
-swarph-shared>=0.3.0
+swarph-shared>=0.3.1
 PyYAML>=6.0
 
 [dev]

{swarph_cli-0.9.0 → swarph_cli-0.9.2}/tests/test_cell_loader.py

@@ -194,7 +194,7 @@ def test_load_cell_top_level_must_be_mapping(tmp_path):
 
 def test_load_cell_invalid_peer_name_rejected(cell_yaml_factory):
     path = cell_yaml_factory(name="UPPER_CASE")
-    with pytest.raises(CellError, match="kebab/snake-case"):
+    with pytest.raises(CellError, match="kebab-case"):
         load_cell(path)
 
 

{swarph_cli-0.9.0 → swarph_cli-0.9.2}/tests/test_import_command.py

@@ -286,3 +286,35 @@ def test_swarph_native_path_falls_back_to_filename_stem(tmp_path, monkeypatch):
     )
     p = _swarph_native_path(None, result)
     assert p.name == "no-session-id.jsonl"
+
+
+def test_swarph_native_path_rejects_path_traversal(tmp_path, monkeypatch):
+    """Adversarial-sweep MED: a malicious imported JSONL whose session_id is a
+    traversal or absolute path must NOT escape the sessions dir on write."""
+    monkeypatch.setattr(Path, "home", lambda: tmp_path)
+    from swarph_cli.parsers.claude import ImportReport, ImportResult
+
+    sessions = tmp_path / ".swarph" / "sessions"
+    for evil in ("../../../../etc/cron.d/evil", "/etc/cron.d/evil",
+                 "../../.bashrc", "a/b/c"):
+        result = ImportResult(
+            messages=[],
+            report=ImportReport(source_path="/x/foo.jsonl"),
+            metadata={"session_id": evil},
+        )
+        p = _swarph_native_path(None, result)
+        # Always a direct child of the sessions dir — never escapes.
+        assert p.resolve().parent == sessions.resolve(), f"{evil!r} -> {p}"
+        assert "/" not in p.name.replace(".jsonl", "")
+        assert ".." not in p.name
+
+
+def test_swarph_native_path_explicit_target_also_sanitized(tmp_path, monkeypatch):
+    monkeypatch.setattr(Path, "home", lambda: tmp_path)
+    from swarph_cli.parsers.claude import ImportReport, ImportResult
+
+    result = ImportResult(messages=[], report=ImportReport(source_path="/x/foo.jsonl"),
+                          metadata={"session_id": "S-1"})
+    p = _swarph_native_path("/etc/passwd", result)
+    assert p.parent == tmp_path / ".swarph" / "sessions"
+    assert p.name == "passwd.jsonl"

{swarph_cli-0.9.0 → swarph_cli-0.9.2}/tests/test_spawn_command.py

@@ -901,19 +901,54 @@ def test_build_agy_argv_sandbox_false(tmp_path):
 
 
 def test_agy_env_scrub(monkeypatch):
-    """Verify _agy_env correctly scrubs billing environment variables."""
+    """Verify _agy_env scrubs the full billing-redirect class via the shared
+    scrub — including the GEMINI_API_KEY/GOOGLE_API_KEY/GEMINI_BASE_URL keys the
+    old hand-rolled four-key pop missed."""
     from swarph_cli.commands.spawn import _agy_env
 
     monkeypatch.setenv("GOOGLE_APPLICATION_CREDENTIALS", "/some/path.json")
     monkeypatch.setenv("GOOGLE_CLOUD_PROJECT", "project-123")
     monkeypatch.setenv("VERTEX_PROJECT", "v-project")
     monkeypatch.setenv("VERTEX_LOCATION", "us-central1")
+    # Previously NOT scrubbed by _agy_env's four-key pop — now covered:
+    monkeypatch.setenv("GEMINI_API_KEY", "leak")
+    monkeypatch.setenv("GOOGLE_API_KEY", "leak")
+    monkeypatch.setenv("GEMINI_BASE_URL", "https://metered.example")
+    monkeypatch.setenv("KEEP_ME", "ok")
 
     env = _agy_env()
     assert "GOOGLE_APPLICATION_CREDENTIALS" not in env
     assert "GOOGLE_CLOUD_PROJECT" not in env
     assert "VERTEX_PROJECT" not in env
     assert "VERTEX_LOCATION" not in env
+    assert "GEMINI_API_KEY" not in env
+    assert "GOOGLE_API_KEY" not in env
+    assert "GEMINI_BASE_URL" not in env
+    assert env["KEEP_ME"] == "ok"
+    assert env["SWARPH_SPAWN"] == "1"
+
+
+def test_claude_env_scrubs_billing_redirect(monkeypatch):
+    """CRIT regression (adversarial-sweep 2026-06-01): the interactive claude
+    membrane must NOT inherit ANTHROPIC_AUTH_TOKEN / ANTHROPIC_BASE_URL from the
+    parent env — they would silently flip the spawned claude off subscription
+    auth to a metered/relay endpoint while cost_usd still reports 0.0."""
+    from swarph_cli.commands.spawn import _claude_env
+
+    monkeypatch.setenv("ANTHROPIC_API_KEY", "sk-leak")
+    monkeypatch.setenv("ANTHROPIC_AUTH_TOKEN", "tok-leak")
+    monkeypatch.setenv("ANTHROPIC_BASE_URL", "https://metered.relay.example")
+    monkeypatch.setenv("PATH", "/usr/bin:/bin")
+    monkeypatch.setenv("KEEP_ME", "ok")
+
+    env = _claude_env()
+    assert "ANTHROPIC_API_KEY" not in env
+    assert "ANTHROPIC_AUTH_TOKEN" not in env
+    assert "ANTHROPIC_BASE_URL" not in env
+    # Non-billing env survives so the claude TUI still works.
+    assert "PATH" in env
+    assert env["KEEP_ME"] == "ok"
+    assert env["SWARPH_SPAWN"] == "1"
 
 
 def test_run_spawn_antigravity_dry_run(tmp_path, isolated_xdg, capsys):

{swarph_cli-0.9.0 → swarph_cli-0.9.2}/tests/test_watchdog.py

@@ -132,6 +132,7 @@ def test_stale_cursor_alive_process_unread_dms_fires_a1(
     with patch("swarph_cli.commands.watchdog._process_alive", return_value=True), \
          patch("swarph_cli.commands.watchdog._gateway_unread_count", return_value=3), \
          patch("swarph_cli.commands.watchdog._tmux_session_exists", return_value=True), \
+         patch("swarph_cli.commands.watchdog._pane_activity_age_sec", return_value=None), \
          patch("swarph_cli.commands.watchdog._tmux_send_keys", return_value=True) as send_mock:
         rc = run_watchdog(argv=[
             "--check", "--cell", "lab",
@@ -279,6 +280,7 @@ def test_a1_fires_at_most_once_per_stale_window(
     with patch("swarph_cli.commands.watchdog._process_alive", return_value=True), \
          patch("swarph_cli.commands.watchdog._gateway_unread_count", return_value=3), \
          patch("swarph_cli.commands.watchdog._tmux_session_exists", return_value=True), \
+         patch("swarph_cli.commands.watchdog._pane_activity_age_sec", return_value=None), \
          patch("swarph_cli.commands.watchdog._tmux_send_keys", return_value=True) as send_mock:
         # First invocation — A1 fires
         rc1 = run_watchdog(argv=[
@@ -322,6 +324,7 @@ def test_a1_rearms_after_cursor_advance(
     with patch("swarph_cli.commands.watchdog._process_alive", return_value=True), \
          patch("swarph_cli.commands.watchdog._gateway_unread_count", return_value=2), \
          patch("swarph_cli.commands.watchdog._tmux_session_exists", return_value=True), \
+         patch("swarph_cli.commands.watchdog._pane_activity_age_sec", return_value=None), \
          patch("swarph_cli.commands.watchdog._tmux_send_keys", return_value=True) as send_mock:
         # First A1 fires
         run_watchdog(argv=[
@@ -482,6 +485,7 @@ def test_a2_escalation_clears_a1_marker(
     with patch("swarph_cli.commands.watchdog._process_alive", return_value=True), \
          patch("swarph_cli.commands.watchdog._gateway_unread_count", return_value=5), \
          patch("swarph_cli.commands.watchdog._tmux_session_exists", return_value=True), \
+         patch("swarph_cli.commands.watchdog._pane_activity_age_sec", return_value=None), \
          patch("swarph_cli.commands.watchdog._tmux_send_keys", return_value=True):
         # First fire — record marker
         run_watchdog(argv=[
@@ -712,3 +716,108 @@ def test_resolve_swarph_bin_relative_with_slash_resolves_to_absolute(tmp_path, m
         f"resolver returned non-absolute path: {resolved!r}"
     )
     assert resolved == str(fake)
+
+
+# ---------------------------------------------------------------------------
+# _process_alive — session-scoped (adversarial-sweep MED, watchdog.py:361)
+# ---------------------------------------------------------------------------
+
+import os
+import swarph_cli.commands.watchdog as _wd
+
+
+class _R:
+    def __init__(self, returncode, stdout=""):
+        self.returncode = returncode
+        self.stdout = stdout
+
+
+def _fake_run_factory(panes_rc, panes_out, pgrep_rc, pgrep_out, sessions_rc=0):
+    """Mock subprocess.run distinguishing tmux list-panes vs list-sessions."""
+    def fake_run(cmd, **kw):
+        if cmd[0] == "tmux" and cmd[1] == "list-panes":
+            return _R(panes_rc, panes_out)
+        if cmd[0] == "tmux" and cmd[1] == "list-sessions":
+            return _R(sessions_rc, "" if sessions_rc else "lab: 1 windows\n")
+        if cmd[0] == "pgrep":
+            return _R(pgrep_rc, pgrep_out)
+        return _R(1, "")
+    return fake_run
+
+
+def test_pid_under_walks_proc_ancestry():
+    pid = os.getpid()
+    assert _wd._pid_under(pid, {pid}) is True            # self
+    assert _wd._pid_under(pid, {os.getppid()}) is True   # parent
+    assert _wd._pid_under(pid, {999999999}) is False     # bogus ancestor
+
+
+def test_process_alive_ignores_host_wide_claude(monkeypatch):
+    """A claude process that is NOT a descendant of THIS session's panes must
+    NOT count as alive (the old host-wide pgrep masked dead sessions)."""
+    monkeypatch.setattr(_wd.subprocess, "run",
+                        _fake_run_factory(0, "1000\n", 0, "2000\n"))
+    monkeypatch.setattr(_wd, "_pid_under", lambda pid, anc, **k: False)
+    assert _wd._process_alive("mysess") is False
+
+
+def test_process_alive_true_when_claude_under_session(monkeypatch):
+    monkeypatch.setattr(_wd.subprocess, "run",
+                        _fake_run_factory(0, "1000\n", 0, "2000\n"))
+    monkeypatch.setattr(_wd, "_pid_under", lambda pid, anc, **k: True)
+    assert _wd._process_alive("mysess") is True
+
+
+def test_process_alive_false_when_session_absent_but_server_up(monkeypatch):
+    """Server reachable + this session genuinely gone → dead (A2 may fire)."""
+    monkeypatch.setattr(_wd.subprocess, "run",
+                        _fake_run_factory(1, "", 0, "2000\n", sessions_rc=0))
+    assert _wd._process_alive("ghost") is False
+
+
+def test_process_alive_assumes_alive_when_no_tmux_server(monkeypatch):
+    """Regression (deploy 2026-06-02): the watchdog runs as ROOT, whose tmux
+    socket is empty — list-panes AND list-sessions both fail. We CANNOT
+    determine liveness via tmux, so must assume alive, NOT false-fire an A2
+    respawn of a session that's actually alive under ubuntu's tmux."""
+    monkeypatch.setattr(_wd.subprocess, "run",
+                        _fake_run_factory(1, "", 0, "2000\n", sessions_rc=1))
+    assert _wd._process_alive("lab") is True
+
+
+def test_process_alive_false_when_no_claude_anywhere(monkeypatch):
+    monkeypatch.setattr(_wd.subprocess, "run",
+                        _fake_run_factory(0, "1000\n", 1, ""))
+    assert _wd._process_alive("mysess") is False
+
+
+# ---------------------------------------------------------------------------
+# _pane_activity_age_sec — fallback across pane/window/session (F3 fix 2026-06-02)
+# ---------------------------------------------------------------------------
+
+
+def test_pane_activity_age_falls_back_when_pane_empty(monkeypatch):
+    """pane_activity is empty without monitor-activity (tmux 3.x). F3 must fall
+    back to window/session activity, NOT return None — returning None made F3 a
+    no-op and let A1 fire against a genuinely-active session."""
+    recent = _wd._now() - 30
+    monkeypatch.setattr(_wd.subprocess, "run",
+                        lambda cmd, **kw: _R(0, f"|{recent}|{recent - 5}\n"))
+    age = _wd._pane_activity_age_sec("lab")
+    assert age is not None
+    assert 25 <= age <= 40  # ~30s, allowing for execution slack
+
+
+def test_pane_activity_age_none_when_all_blank(monkeypatch):
+    monkeypatch.setattr(_wd.subprocess, "run", lambda cmd, **kw: _R(0, "||\n"))
+    assert _wd._pane_activity_age_sec("lab") is None
+
+
+def test_pane_activity_age_takes_most_recent(monkeypatch):
+    """Uses the MAX (most recent) epoch across the three vars."""
+    now = _wd._now()
+    # pane empty, window 500s ago, session 10s ago → most recent = 10s
+    monkeypatch.setattr(_wd.subprocess, "run",
+                        lambda cmd, **kw: _R(0, f"|{now - 500}|{now - 10}\n"))
+    age = _wd._pane_activity_age_sec("lab")
+    assert age is not None and age <= 20