v2.16.2

Bundles everything merged since v2.16.1: a token-file permission hardening (security), the duplicate-daemon / split-brain fix behind the "relaunch resets my terminals" bug, configurable daemon lifecycle thresholds, and idle-reap diagnostics. No config changes are required — defaults are unchanged.

Security

• Token-file ACL is applied by owner SID, not username. The daemon auth-token file's ACL was tightened by passing the account name to icacls, which mojibakes under the OEM codepage for non-ASCII (e.g. Korean) usernames and could lock the owner out of their own token. The ACL is now keyed by the owner's SID, with an ASCII-only fallback guard. (#90)

Fixed

• No more duplicate daemon / split-brain on relaunch. "Quit (keep sessions) → relaunch" could spawn a second daemon that fell back to a -N-suffixed pipe, leaving the first daemon's session pipe in EADDRINUSE and the UI unable to reattach — terminals appeared to reset. A three-defect chain is closed: isProcessAlive swallowing its probe error into false, the canonical-pipe reclaim conflating a live owner with a zombie, and the -N fallback itself. A confirmed live owner on the canonical pipe now makes the redundant daemon exit cleanly so the launcher reconnects to the existing one. (#93)
• maxSessions counts only live sessions. Dead tombstones no longer occupy slots against the cap, so a low maxSessions won't be exhausted by sessions that have already exited. (#92)
• Recovered sessions keep their saved dead-TTL. A recovered session preserves the dead-session TTL it was created with instead of silently inheriting the current default. (#92)

Added

• Configurable lifecycle thresholds. Five daemon limits became config keys with the former hardcoded values as defaults: maxSessions (200), the memory warn/reap/block triple (500/750/1024 MB), and suspendedTtlHours (7d). Out-of-range or malformed values are clamped per-field — not whole-file reset — with a startup warning, so a single bad value can't brick the daemon. maxRecoverSessions is derived from maxSessions rather than configured separately. Documented in PROTOCOL.md §7–§8. (#92)
• Idle-shutdown diagnostics. When the daemon is held alive past its grace window, the watchdog now logs which signal is keeping it up (active connections vs. live sessions) or that it is counting down to self-terminate, so a daemon that fails to reap an empty session set can be diagnosed from its log instead of a live-process inspection. (#95)

Contributors

Special thanks to @junbeom09 (조준범) for the token-file ACL hardening (#90). He hit the non-ASCII-username lockout firsthand: a Korean account name turned the icacls principal into mojibake under the Windows OEM codepage and locked the owner out of their own auth token. He traced the root cause and contributed the SID-based fix that makes the hardening codepage-proof for every user. Reports like this, from real-world setups a single maintainer never sees, are exactly how wmux gets more robust. 🙏

Maintained by @openwong2kim, with engineering and code-review pairing by Claude (Anthropic). Thanks as always to everyone filing issues and dogfooding the daemon-lifecycle work.

What's Changed

• security: grant token-file ACL by owner SID so non-ASCII usernames can't lock the owner out by @junbeom09 in #90
• docs(plan): substrate 3.0 lifecycle-boundary plan + eng review by @openwong2kim in #91
• feat(daemon): configurable substrate 3.0 lifecycle thresholds by @openwong2kim in #92
• fix(daemon): close the duplicate-daemon / split-brain bug (3-defect chain) by @openwong2kim in #93
• test(daemon): lock orphan idle-reap robustness + idle-eval observability by @openwong2kim in #95

New Contributors

• @junbeom09 made their first contribution in #90

Full Changelog: v2.16.1...v2.16.2