fix(packaged): reclaim stale namespace sidecars before launch (#4441)

[YOMXXX]

Fixes #4441

Why

I hit this while exercising packaged Nightly upgrade/reinstall flows: the app appeared to crash on launch, and the desktop log only showed a generic timed out waiting for sidecar status against web.sock. Digging in, the real cause was a still-alive web sidecar from the previous build (0.10.1) still bound to /tmp/open-design/ipc/release-nightly/web.sock.

The pain: the existing stale-socket cleanup (prepareIpcPath/staleUnixSocketExists) only handles a socket left behind by a dead process — it probes with a connection and, when a leftover process is still alive and answers, judges the socket "healthy" and never unlinks it. The new sidecar then dies with EADDRINUSE, and because the web waitForStatus call passed no child watch, it sat through the full 35s timeout and reported the wrong process. This is the P1/risk-high startup robustness gap in #4441: a live older-version sidecar is semantically stale for the namespace but was never reclaimed.

What users will see

Upgrading or reinstalling a packaged build no longer fails to open when an older runtime left a sidecar running. The launcher now reclaims the namespace on startup (stops the leftover daemon/web sidecars and clears their sockets) before spawning fresh ones. If a sidecar still can't start, the desktop log now names the failing process and points at its log instead of a generic 35s timeout.

Surface area

• None — internal packaged-launcher startup robustness fix; no UI/CLI/API/i18n surface. (It does change startup behavior in that a leftover same-namespace sidecar is now stopped — but that is the fix for the crash, not an opt-in behavior, and a leftover desktop process is still left to the single-instance lock.)

Screenshots

N/A — no UI.

Bug fix verification

• Test path that reproduces the bug: apps/packaged/tests/sidecars.test.ts
  • reclaimStaleNamespaceSidecars > stops leftover same-namespace daemon and web sidecars and clears their sockets (+ different-namespace and self-tree-exclusion cases)
  • waitForStatus app label > names the web sidecar when its child exits before reporting status
• Did the test go red on main and green on this branch? yes — red as reclaimStaleNamespaceSidecars is not a function and as the exit error naming daemon instead of web; green after the fix.
• End-to-end "packaged app no longer crashes" needs a packaged build to confirm by eye. To reproduce the live-leftover state from the issue: start an older packaged runtime, leave its web sidecar bound to /tmp/open-design/ipc/<namespace>/web.sock, then launch the new build — it should reclaim and start instead of timing out.

Validation

• pnpm --filter @open-design/packaged test → tests/sidecars.test.ts 28 passed (the 4 new specs RED→GREEN).
• tsc -p tsconfig.json --noEmit / tsconfig.tests.json → no errors in sidecars.ts.
• Scope held to Nightly can crash or exit on launch when stale sidecars or IPC sockets remain #4441's startup path; the macOS AppTranslocation/quarantine diagnostic suggested in the issue is left as a follow-up.

[lefarcen]

Hi @YOMXXX! Thanks for digging into this — the write-up around the stale live-sidecar vs dead-socket gap made the startup failure mode very easy to follow.

I've queued the PR through the normal reviewer path and linked it back to #4441 so the bug trail stays in one place.

💡 To drive this PR to merge hands-free, paste this to your AI coding agent (Claude Code / Codex / opencode / Cursor …):
Take over nexu-io/open-design#4531 until it merges — read https://raw.githubusercontent.com/nexu-io/looper/main/skills/pr-takeover/SKILL.md and follow it.

[PerishCode]

@YOMXXX I reviewed the changed ranges in apps/packaged/src/sidecars.ts and apps/packaged/tests/sidecars.test.ts. The reclaim path stays on the shared sidecar/platform primitives, scopes termination to same-namespace packaged daemon/web sidecars while protecting the current process tree, and the new tests cover the stale sidecar reclaim, namespace isolation, self-tree exclusion, and web fast-fail diagnostic behavior.

I could not rerun the local package commands in this prepared checkout because node_modules is missing (vitest, tsc, and tsx were unavailable), but the live PR checks show the workspace/static gates and unit-test job passing for this head. Thanks for tightening this startup failure mode and making the diagnostics more direct.

_{🔁 Powered by Looper · runner=reviewer · agent=codex · An autonomous AI dev team for your GitHub repos.}