Changelog — Fixes

What this fixes

codepulse-pulse.sh was the Linux/macOS sibling of codepulse-pulse.ps1 and had the SAME env-var-fragility class that hit the Windows hook in the v2.3.142 outage — different triggers, identical failure mode:

• Profile-cleaner sweeps wiping ~/.bashrc / ~/.zshrc (analogous to Windows AV cleaners pruning HKCU:\Environment).
• sudo invocations that strip CODEPULSE_HOME from the environment.
• Stale shell sessions whose env was loaded before install.
• systemd user units / launchd plists with restricted env passthrough.

Pre-fix: any of these paths → resolver chain falls through (env → script-location inference) → if neither matches, hook silently exits with no diagnostic. Telegram surface dark, /health reports hooksHealthy: true because the original release only checked the Windows flag path.

What changed (TAB-668)

install/hooks/codepulse-pulse.sh — 4-tier resolver (TAB-649 parity)

1. Anchor file beside the script (codepulse-home.txt). Single line, plain text, absolute path. Trim whitespace, validate [[ -d ]] and [[ -f $value/.env ]].
2. CODEPULSE_HOME env var (legacy primary).
3. Script-location inference (install/hooks/.. -> root walk).
4. Stamp diag flag and exit silently if all three above fail.

POSIX-atomic flag write: printf > tmp.$$ followed by mv -f (rename is atomic on the same filesystem). JSON payload constructed without a jq dependency, with proper escaping of \\, ", \t, \n, \r plus a control-char scrub for 0x00–0x1F so paths containing exotic bytes can't produce flag-unparseable JSON.

Stale-flag cleanup: rm -f first, fall back to truncate-to-empty (: > file) if the file is locked. Empty content is treated as "healthy" by readHookHealthFlag.

Orphan-tmp sweep with age guard (>5 seconds) so concurrent hook invocations don't race-clobber each other's in-flight tmp files. Cross-platform stat: tries stat -c %Y (GNU), falls back to stat -f %m (BSD/macOS).

install/lib/place-hooks.sh

New --codepulse-home <path> arg. When supplied AND target is a directory containing .env, the installer drops codepulse-home.txt next to the copied hook. Anchor write is non-fatal — a transient FS hiccup logs a WARN but doesn't break the install. Also rejects empty --codepulse-home arg up-front, and rejects target paths containing newline / CR (which would corrupt the bash hook's anchor-read trim semantics).

install/install.sh

Hoists single canonical CP_HOME_NORMALIZED (mirrors the same TAB-666 dedup we did on Windows). One source-of-truth for the path; passes through --codepulse-home to place-hooks.sh Step 3 and set-codepulse-home.sh Step 5.

install/lib/uninstall-hooks.sh

Step 2/3 now also removes codepulse-home.txt alongside the hook script. Idempotent — silent skip when absent (legacy installs from before TAB-668).

src/agent/approval-bridge-server.ts

The bridge's readHookHealthFlag() now probes BOTH platform paths:

• Windows: %APPDATA%\CodePulse\diagnostics\hook-unresolved.flag
• Unix: $HOME/.codepulse/diagnostics/hook-unresolved.flag

When BOTH exist (rare; cross-host dev box running Windows + WSL/git-bash), the freshest by mtime wins. On tied mtime, the LAST candidate in iteration order wins (Unix), so a Linux/macOS dev sees their host shell's hook signal first.

Cross-platform CI is now real

Up to this release, the bash code was tested via git-bash on Windows in the Vitest suite. git-bash is bash 5+ but with Windows path semantics — close to but not identical to real Linux bash.

New workflow .github/workflows/tests-sh-linux.yml runs on ubuntu-latest:

1. bash -n syntax check on all 4 modified .sh files.
2. Vitest run of ONLY tests/unit/tab-668-anchor-resolver-sh.test.ts (the file that doesn't use vi.mock, so it dodges the documented Linux-Vitest mock-hoisting flake class that prevents the FULL suite from running on Linux).

Not a release gate today (runs on every dev push but doesn't block versioning.yml). A future ticket will promote it to a hard gate after one or two release cycles of stability soak. The Windows tests.yml workflow remains the gating authority — the new Linux job is an early-warning system.

The first run of the new workflow was green on the v2.3.147 commit. ✅

Tests

18 new tests in tab-668-anchor-resolver-sh.test.ts mirroring the TAB-649 coverage matrix:

• A: place-hooks anchor-file write semantics (5 tests)
• B: uninstall anchor cleanup (2 tests)
• C: hook-script resolver chain via isolated tmp HOME (4 tests)
• D: cross-platform readHookHealthFlag Unix-path semantics (7 tests, including the tied-mtime tie-break and the Windows-vs-Unix freshest-wins case)

Adversarial review × 2 per the project's quality protocol for cross-platform changes. Round 1 found 2 HIGH (JSON escape inconsistency + concurrent tmp race) + 4 MEDIUM + 5 LOW; Round 2 found 2 MEDIUM + 5 LOW. All HIGHs and primary MEDIUMs/LOWs applied.

Acknowledged drift vs Windows

The bash port is intentionally simpler in two places:

• No registry tier. POSIX has no analogue to Windows' HKCU registry (a system-wide-user persistent KV store outside the env). The 4-tier chain is the maximum natural depth.
• No per-process diag-jsonl writer. The Windows hook has a Write-HookDiag jsonl logger for richer diag (anchor-vs-env-mismatch warnings etc.); the bash side relies on the hook-unresolved.flag for the operator-visible signal. A hypothetical mismatch (env var pointing somewhere different from the anchor) is silent on Linux/macOS — anchor wins by design.

TAB-665 EPIC complete

This release closes the EPIC TAB-665 ("Hook resolver hardening + .sh parity — TAB-649 follow-ups"). Three sub-tickets, two release tags (v2.3.146 + v2.3.147), zero merge bubbles in the dev branch, zero force-pushes, zero pre-existing test regressions. The original v2.3.142 outage failure mode is now structurally impossible across both supported operating systems.

TAB-667 — Step 5 demoted to non-fatal

Pre-TAB-667, a transient hiccup at Step 5 (writing CODEPULSE_HOME to the user-scope registry / shell config) routed through Read-FailureChoice — the Retry/Skip/Abort prompt that defaults to Abort in silent (NSIS-driven) mode. Abort triggered Invoke-Rollback, which uninstalled everything (hook script, anchor file, settings.json hooks, the lot) and exit-1'd, even though Steps 1–4 had ALL succeeded.

Common triggers in real environments:

• AV scanners momentarily locking HKCU:\Environment during install
• Profile-cleaner tools blocking registry writes
• .bashrc / .zshrc locked by editor / FS sync (OneDrive, Dropbox, iCloud)
• Immutable bit / restricted-shell environments (corporate Linux)

Now: the env-var write failure is non-fatal — the installer logs a WARN line (visible in the install log + Telegram notification on failure) and continues. The hook still works because the anchor file (TAB-649 / v2.3.145) is the primary CodePulseHome resolver; the env var is now resolver #2 in the fallback chain, plus a diagnostic helper read by get-system-info.ps1 for support tickets.

This mirrors the same fix pattern TAB-649 R1 HIGH-1 applied to anchor-file-write failures earlier: refuse to brick a working install over a transient persistence hiccup.

Before TAB-667

[5/5] Setting CODEPULSE_HOME environment variable...
  FAIL  Failed to set CODEPULSE_HOME
  [R]etry / [S]kip / [A]bort
  Choice: A   ← silent default

Rolling back partial installation...
  Removed: hooks/codepulse-pulse.ps1
  Cleaned: settings.json (7 events)
  ...
Installer exited with code 1.

After TAB-667

[5/5] Setting CODEPULSE_HOME environment variable...
  WARN  Failed to set CODEPULSE_HOME -- continuing (anchor file is primary resolver)

Installation completed with warnings.
  Claude directory: C:\Users\<you>\.claude
  CODEPULSE_HOME: D:\Program Files (x86)\CodePulse
  Events registered: 7
  ...
Installer exit code 2 (partial — non-fatal warning).

The NSIS installer wraps install.ps1 -Silent and treats exit code 2 as "completed with warnings" — the user still sees a "completed successfully" wizard finish, with the WARN in the install log for support ticket triage.

TAB-666 — $cpHome triple-duplication refactor

Side-fix bundled into the same release. The expression

if ($CodePulseHome) {
  [System.IO.Path]::GetFullPath($CodePulseHome)
} else {
  Split-Path -Parent $script:InstallDir
}

appeared verbatim three times in install.ps1 (Step 3 anchor write, Step 5 env-var write, final summary). Hoisted into a single $script:CpHomeNormalized variable, computed once at script init AFTER the Write-InstallLog fallback so a malformed -CodePulseHome arg lands in the install log instead of a bare PowerShell stack trace. Both branches of the if/else now go through GetFullPath for consistent normalization.

Pure dedup, no behavior change for the realistic install path. Visible only via git diff. Eliminates a future-drift class where one site could be updated while the other two go stale.

Cross-platform parity

Both fixes apply to BOTH install.ps1 (Windows) AND install.sh (Linux/macOS). Rule 7.5 of the project's quality protocol is "cross-check related code paths" — when fixing a bug in one platform's installer, verify the same bug doesn't exist in the other. Both hit the same root cause (Read-FailureChoice / read_failure_choice defaulting to Abort in silent mode), both now use the same warn-and-continue pattern.

New regression test

tests/unit/installer-scripts.test.ts Scenario O11 pins the demoted failure path: forces Step 5 to fail by passing a -CodePulseHome pointing at a directory without a .env marker, then asserts:

• Exit code is 2 (partial), NOT 1 (which would mean rollback fired)
• Hook script is still installed
• All 7 hook events are still registered in settings.json
• stderr contains a WARN line
• stderr does NOT contain "Rolling back"

PS1 + SH variants. ~57 LOC of regression coverage.

What still moves forward

v2.3.147 follows with the bigger TAB-668 piece: porting the TAB-649 anchor-file resolver to the bash hook so Linux/macOS users get the same env-var-failure immunity Windows just got. That ship-line concludes the TAB-665 EPIC.

What broke

A user's installed CodePulse v2.3.142 stopped surfacing tool calls in Telegram even though the bridge was running, hooks were registered, and /health happily reported hooksTriggered=42. Investigation traced it to the CODEPULSE_HOME user-scope env variable disappearing from HKCU:\Environment during a session. The hook script's resolver chain — env var → registry → script-location inference — failed at all three tiers, so the script silently exited at line 47 with no log entry, no diagnostic, no /health change. From the operator's seat, hooks were "running" while in reality nothing reached the bridge.

Likely causes for the env-var disappearance: setx's 1024-character Path-truncation race clipping other vars, AV / profile-cleaner sweeps, registry pruning, elevation context drift. The whole class is a known Windows fragility surface.

What changed (TAB-649)

• Anchor-file resolver as priority #1. The installer now writes codepulse-home.txt next to the hook script (D:\ClaudeCode\hooks\codepulse-home.txt). The hook reads this file FIRST. Plain UTF-8, no BOM, single line: the absolute path. Self-contained at the install site — no registry, no env var, no inference required.
• 4-tier resolver chain with structured trace: anchor → env → registry → inference. Each failure step is recorded so /health can report exactly which tier(s) failed.
• Self-heal diag flag. When all four resolvers fail, the hook atomically stamps %APPDATA%\CodePulse\diagnostics\hook-unresolved.flag (UTF-8 JSON, atomic tmp+rename write) and exits 0 (never blocking Claude). The bot's /health endpoint reads the flag and surfaces:

  "hooksHealthy": false,
  "hooksReason": "resolver-failed:anchor-missing,env-empty-or-invalid,inference-no-env"
  

  This is what would have caught the original outage 4 hours earlier. Successful hook runs clear the flag (Remove + truncate-to-empty fallback if the file is locked) so /health self-recovers within one Claude tool-call.
• Stale-window logic. Flags older than 5 minutes are treated as recovered (the next successful hook clears them anyway). Future-stamped flags from clock skew also treated as stale (symmetric Math.abs window).
• Test-only registry-bypass env var so the resolver-chain integration test isolates from the host's real HKCU (registry can't be mocked).
• Anchor-write is non-fatal. A transient AV / disk hiccup at anchor-write time logs a WARN but the install still succeeds — the hook will fall back to env / registry / inference if the anchor isn't there.

Two-round adversarial review

Round 1 (diff-scope) found 4 HIGH + 8 MEDIUM + 1 actionable LOW. All applied: install-fail-hard relaxed to WARN, registry-bypass for tests, atomic flag write via tmp+rename, truncate fallback for locked clears, symmetric stale-window for clock skew, treat-unparseable-ts as stale, env-vs-anchor mismatch warn surfacing in hook-events.jsonl, strict-match assertions in tests, orphan-tmp sweep after concurrent writes.

Round 2 (fresh-eyes) found 3 MEDIUMs (all comment/cleanup) + assorted LOWs. All MEDIUMs applied: tightened the readHookHealthFlag JSDoc, corrected the MoveFileEx atomicity claim (it's near-atomic on NTFS, not strictly atomic), added orphaned .tmp.<PID> cleanup sweep.

Tests

21 new tests in tab-649-anchor-resolver.test.ts across 4 sections: place-hooks anchor write semantics, uninstall cleanup, resolver-chain via isolated hook copy (anchor / env / inference / all-fail), and readHookHealthFlag staleness + parse semantics. 250+ adjacent tests pass with zero regressions.

Looking forward

This release was the first of four tracking the same epic — TAB-665 — that hardens the install-time path resolution end-to-end. v2.3.146 follows with installer Step 5 demoted to non-fatal so transient registry hiccups can't roll back working installs. v2.3.147 ports the same architecture to the bash hook for Linux/macOS parity.

What landed

• TAB-645 — RL-active gate on non-delegate hook suppression. TAB-642's blanket suppression (Theme 4) was too aggressive: it muted Code-mode interactive sessions even when no RL was active. Result: Code-mode users lost their Telegram tool-call surface as soon as ANY RL session was registered, regardless of the session firing the hook. Fix: gate the suppression on realLifeActiveResolver?.() !== false so the bridge only suppresses non-delegate hooks when an RL session is actively attached. When RL is detached, Code-mode hooks resume firing normally.
• TAB-646 — Streaming UX cleanup. Two fixes:
  • Placeholder removed. The "thinking..." card flickered on/off because every streaming chunk re-edited it. Dropped the placeholder entirely; first content chunk renders directly.
  • Connector-account marker. RL responses include a hidden marker pointing at the originating Connector account (e.g. [connector:[email protected]]). Marker survives streaming chunk-by-chunk reassembly so the response card footer correctly attributes the source.
• TAB-648 — Calendar pending-RSVP events. mcp__claude_ai_Google_Calendar__list_events was filtering out events the user hadn't yet RSVP'd to. RL system prompt updated to instruct Claude to include pending-RSVP events in calendar listings. New diagnostic logs tool_use args for connector tools (200-char preview) so future tool-arg bugs are debuggable from the bridge log.

v2.3.142 — the version that hit the outage

v2.3.142 was running on the user's machine when the CODEPULSE_HOME env var disappeared from HKCU:\Environment and every Telegram tool-call surface went silently dark. Investigating that outage led to TAB-649 (the anchor-file resolver, shipped in v2.3.145) and the EPIC TAB-665 follow-ups (v2.3.146–v2.3.147). v2.3.142 itself is fine — the env-var-disappearance bug is environmental, not in the bridge — but it's the last release before the resolver chain was hardened.

Tests

Each fix gets a regression test: TAB-645 has a non-delegate stop-hook test that asserts the gate flips correctly; TAB-646 has a streaming-marker preservation test; TAB-648 has a tool-arg diagnostic log assertion.

What changed

• TAB-596 Phase 3 — Cross-project --continue delegation. Switching /project mid-session no longer drops the prior project's conversation context. The bridge captures the source-session state, ports it across, and resumes via --continue on the destination project. Earlier phases (TAB-596 P1) already pinned the Claude Code CLI version floor at startup so older binaries can't silently corrupt the session-id wire format.
• TAB-605 — Regex-based MCP auto-approve removed. The previous mcp__* glob auto-approve allowed any pattern matching tool name through without per-tool review. Replaced with an explicit per-tool whitelist for the three CodePulse-internal MCP tools that legitimately auto-approve (mcp__codepulse__*). Third-party MCP tools now route through the normal Telegram approval card.
• TAB-606 — Env spawn allowlist. Every place CodePulse spawns a child process (CLI bridge, hook script invocations, helper scripts) now passes an EXPLICIT env-var allowlist instead of {...process.env, ...overrides}. Parent-process env leakage was the silent vector behind several flaky test failures and a small subset of production-bridge hangs that surfaced when CI-set env vars (GITHUB_TOKEN, RUNNER_*) leaked into long-running spawns.

Why these matter

Each one closes a class of "happens rarely, fails confusingly" bugs. None of these were urgent on their own, but they're load-bearing prereqs for Real-life mode (next release range) — which spawns helper subprocesses, switches projects mid-session, and consults MCP toolkits in ways that exercise every one of these paths.

Tests

Unit tests added across the bridge, hook-installer, and project-switcher surfaces. Total +56 tests; pre-existing surfaces unchanged.

What landed in source (TAB-595)

• Worker version-injection step. The release workflow now patches wrangler.toml's WORKER_VERSION placeholder with the release tag before wrangler deploy. The Cloudflare Worker echoes that value at https://api.codepulse.at/health, so a post-deploy probe can prove the live bundle is the just-deployed one (not a stale cached version).
• 3-attempt post-deploy verify on /health. Parses the JSON response and asserts version === expected. A silent no-op deploy that leaves the previous bundle running would now fail CI loudly instead of being mistaken for success.
• Step-level timeouts on Install NSIS (10), service deps (10), launcher deps (15), worker build (10), and Deploy Cloudflare Worker (10) — bounded individually to surface hangs faster than the new 60-minute job-level ceiling.
• NSIS path probe across Program Files (x86), Program Files, and ProgramData\chocolatey\bin so a choco install that lands in a non-default prefix is detected correctly.
• $LASTEXITCODE = $null guard before each native-command attempt so a stale 0 from a prior step cannot be mistaken for a fresh success signal.

Honest disclosure — none of this ran in v2.3.120

After v2.3.120 published, the production https://api.codepulse.at/health still returned {"status":"ok","timestamp":"…","version":"0.0.0-dev"} — the placeholder. Investigation revealed the root cause:

• versioning.yml triggers release.yml via gh workflow run release.yml (a workflow_dispatch).
• GitHub Actions rule: workflow_dispatch runs the workflow file from the default branch (main), not from the tag.
• main's release.yml was last touched in early March (pre-v2.0.3) and has been frozen since. Every TAB-595 change in this release lives in the dev source tree but never reached the release-execution path.
• The same shadow retroactively applies to TAB-588 (parse-check), TAB-592 (NSIS resilience, v2.3.117), and TAB-594 (install retries, v2.3.118) — none of those workflow improvements have ever exercised in production CI either, by accident of the registries being available during their deploy windows.

Approved fix in flight

Option 2 root-cause migration: one-time sync main ← dev for .github/workflows/, then remove the workflow_dispatch trigger from versioning.yml and rely on on: push: tags (now reliable thanks to the v2.3.117-era RELEASE_PAT workflow-scope rotation in TAB-593). After that, every release's workflow file comes from the tag, which is on dev — drift-proof by construction. A no-code patch (v2.3.122) will prove the new tag-push trigger end-to-end. TAB-595 stays open until that proof.

Release pipeline hardening (TAB-594)

• Three install steps gained 3× retry with linear backoff (15s / 30s / 45s): bun install for the service, npm ci for the launcher, and npm ci --ignore-scripts for the Cloudflare Worker. All three hit external registries on every release run.
• wrangler deploy gained 2× retry with 30s backoff. Cloudflare API 5xx is rare but real; one extra attempt eliminates the most common transient failure mode without inviting accidental double-deploys (the Worker bundle upload is idempotent, the DO migration is already applied, and the route binding rebinds to the same target each run, so retry is provably safe for this specific topology).
• No code changes outside .github/workflows/release.yml. No application behaviour changed in this release.

Implementation note

The retries are coded as plain for i in 1 2 3 shell loops with explicit success-marker echoes on retry — log readability is the priority, not generic abstraction. A future version may consolidate this with the NSIS retry block from v2.3.117 if a third transient-failure source appears.

Hooks panel sync (TAB-544)

• Configuration panel finally drives the registered hook set. The 7 checkboxes in the Hooks section had been writing to HOOK_EVENTS in .env, but the installer never read them — it unconditionally registered 7 hardcoded hooks regardless of selection. Three of the panel's checkboxes named hooks the service did not register; four hooks the service did register were hidden from the panel. v2.3.117 unifies the two.
• Three new CLI v2.1.x hooks are now wired: StopFailure (v2.1.78) fires a Telegram alert when Claude's API call fails, TaskCreated (v2.1.84) logs subagent activity, PermissionDenied (v2.1.88) returns a safe no-action stub (full auto-retry semantics deferred to v2.1.119).
• Required-hook backstop. PreToolUse and Stop are force-registered even if disabled in the panel — disabling either silently breaks the approval bridge. Both render in the Configuration tab as disabled checkboxes with a gold REQUIRED badge.
• Two adversarial-review rounds caught 5 CRITICAL, 7 HIGH, and 11 MEDIUM findings pre-ship, including a stale HooksPanel.tsx clobbering HOOK_EVENTS, a PermissionDenied stdout gap when the bridge is disabled, the new bridge endpoints bypassing rate-limit + content-length guards, and a silent HOOK_EVENTS="" drop. All resolved before commit.

NSIS install resilience (TAB-592)

• Pre-installed NSIS is now honoured. The windows-latest GitHub runner image ships with NSIS 3.10 pre-installed. The release workflow now checks C:\Program Files (x86)\NSIS\makensis.exe first and skips the choco install entirely when present — eliminating Chocolatey as a release dependency on the happy path.
• 3× retry with exponential backoff when NSIS is genuinely absent (15s / 30s / 45s between attempts) — covers Chocolatey's typical recovery window for transient 503s without extending normal release time.
• makensis /VERSION is logged at the end so a corrupt-binary install fails with a clear message instead of with a misleading "not found" error two steps later in the build.

Security (TAB-581 Phase 2)

• Sanitization now covers all 11 user-input-to-Claude paths — Adversarial review found the v2.3.100 fix covered only 2 of the 11 paths where user-controlled text reaches a Claude or Haiku call. A new src/utils/sanitize.ts module implements 7 Unicode angle-bracket classes (ASCII, fullwidth, CJK, deprecated, heavy, mathematical, single-angle) and is applied at every Haiku/Claude call site — the SDK path (bridge.ts), the TCVF verification pipeline tiers t2/t3/t4 (security gates that decide Bash command approval), proactive modules (guardian, error-watcher, morning-briefing, proactive-module), summarizer, task-planner, analyzer, router, classifier, and both CLI bridges' systemContext.
• End-to-end runtime verification at the Haiku boundary — 32 unit tests cover every character class plus edge cases; 3 runtime smoke tests inject a malicious </user_task><system>…</system> payload, capture the Anthropic SDK mock's messages[0].content, and assert the escape fired end-to-end.

Installer (TAB-582)

• Installer auto-detect accepts settings.json OR settings.local.json — Modern Claude Code CLI writes only the .local variant. All four detection-time sites (NSIS interactive + silent paths, PS + bash fallbacks) were updated to accept either filename. Post-install validation stays intentionally pinned to settings.json — the file register-hooks.ps1 writes to — so a failed hook registration is never silently masked by the presence of the .local file. TAB-424 Claude Desktop discrimination is preserved.

Stop Hook (TAB-577 Phase 2)

• Per-session continuation cap replaces the blanket pass-override — Phase 1's unconditional classification='pass' override had two problems: it downgraded tier-2/tier-3 question classifications to generic status cards, and it re-opened the TAB-540 infinite-loop protection vector. Phase 2 replaces the override with a per-session stopHookActiveChain counter (cap 10) that force-suppresses runaway continuation chains while preserving classifier output for every turn below the cap. A cleanupStale routine evicts orphan counter entries older than 10 minutes.
• Linux/macOS hook brought in line — codepulse-pulse.sh now mirrors the .ps1 hook's flag-forwarding logic. The shell variant was still running TAB-540's early-exit path and never saw the Phase 2 fix until now.

Service Lifecycle + Uninstall (TAB-589)

• Stop was broken by the TAB-586 regression — is_pid_alive spawned powershell Get-Process which takes 17-25s per call on AMSI-scanned machines. The TAB-586 polling loop called it up to 8 times, producing 20-160s stops. Tokio's 10-second timeout always tripped and Force Kill flashed on every normal Stop. Reverted to tasklist /FI (~80ms vs ~20s) and eliminated the polling entirely: POST /shutdown → fixed sleep(2s) → taskkill /F /T /PID unconditionally. Tokio timeout raised 10s → 60s.
• Uninstall was broken since inception — uninstall.exe carries a requireAdministrator UAC manifest, and Command::spawn uses CreateProcess which does NOT trigger UAC elevation, so every click returned ERROR_ELEVATION_REQUIRED (740). The frontend swallowed the error with a misleading /* app is exiting */ comment, so the button visibly did nothing. run_uninstaller now launches via powershell Start-Process -Verb RunAs with a single-quoted path (safe against $ and backtick injection). HelpPanel gains a confirm dialog, an error banner, and a launching-state indicator.
• Top-right and Dashboard buttons sync — serviceError auto-clears on observed stop via a stopErrorMarkerRef flag. A new listen('service-state-changed') listener handles tray-originated state changes in ~10ms. The header button shows "Stopping..." / "Starting..." with pulsing dots during transitions, and Force Kill only appears after the 60-second Rust timeout OR a 50-second frontend watchdog — it no longer flashes in the happy path.