fix(dream-cli): pipefail + surface LLM failures + exit-code contract

[yasinBursali]

What

Three independent error-discipline improvements to dream-cli:

1. Promote shell options from set -e to set -eo pipefail, aligning with CLAUDE.md's project standard. Audit | head -1 sites (converted to | sed -n 1p for SIGPIPE-safety).
2. dream chat and dream benchmark now actually detect LLM failures instead of silently reporting "success" against a dead backend. Uses curl --fail --show-error --max-time + jq -er strict parsing, plus a /v1/models preflight probe.
3. Three commands (dream disable, dream agent logs, dream gpu reassign) now exit non-zero on failure/skip conditions, fixing the exit-code contract for scripted callers.

Why

Before this PR: dream chat against a dead backend printed [dream] Sending to ..., emitted an empty line, and exited 0. dream benchmark propagated that silent failure and happily reported sub-second "Excellent" performance against a non-running LLM. Root cause: curl was invoked with -s (silent, no error-show, no fail-on-HTTP-error) and responses were parsed with jq -r .choices[0].message.content // .error.message // "Error: no response" — every failure path masked behind a human-friendly string on stdout.

dream disable bogus-service used to silently stop a non-existent container (|| true) and print a success-shaped message. Several other commands exited 0 after warning about skip conditions, so automation couldn't distinguish "success" from "skipped."

How

Three commits, each self-contained:

• dfaa4c8f — adopt set -eo pipefail; convert two | head -1 sites to | sed -n 1p.
• 385372ec — rewrite chat/benchmark with preflight probe + strict curl --fail + jq -er. cmd_benchmark uses if ! response=$(cmd_chat ...) so chat failure aborts the benchmark. On the main chat call, the flag is bare --show-error (no --fail*) so HTTP 4xx/5xx responses flow through to the existing jq fallback which extracts .error.message cleanly — also keeps compat with curl < 7.76 (Ubuntu 20.04, Debian 11, RHEL 8).
• 10588c2a — exit-code contract for cmd_disable, cmd_agent logs, _gpu_reassign.

Testing

• dream chat "hi" against a stopped llama-server: now exits 1 with "llama-server not reachable..." (previously silent empty output, exit 0).
• dream benchmark against a stopped backend: now aborts with "Benchmark failed: LLM unreachable..." (previously false-positive sub-second "Excellent").
• dream disable bogus-service: exits 1 with "Unknown service" (previously exit 0 after silent stop).
• Round-1 review: Critique Guardian approved. Round-2 adversarial audit: verified across 5 failure paths including the --fail / no-flag asymmetry on the two curl sites.

Known Considerations

Nounset (set -u) is not added in this PR — it requires a full bare-variable audit, which lands as the sibling refactor(dream-cli): enable set -u PR on top of this one.

Platform Impact

• macOS: chat/benchmark runs locally against llama-server; curl 8.x tested.
• Linux Ubuntu 20.04 / Debian 11 / RHEL 8: the --fail-with-body flag (curl ≥ 7.76, Mar 2021) was deliberately avoided on the main chat call so these older-curl distros work too.
• Windows (WSL2): same behavior as Linux.

⚠️ Merge order — must land #1008 first

Adopting set -eo pipefail here turns 7 existing grep "^KEY=" .env | cut | tr pipelines in dream-cli into hard exits when the key is absent. PR #1008 (refactor(dream-cli): guard .env grep pipelines against pipefail kill on missing keys) appends || true to those 7 sites so the surrounding defensive [[ -n ... ]] / ${var:-default} checks keep working.

If this PR merges alone, dream update, dream rollback, dream enable, dream preset, and dream dry-run can abort mid-flow on installs that predate (or have manually-edited-out) one of those .env keys. #1008 is preventive on main today and load-bearing the moment this PR lands. Marked as Draft until #1008 is in to make this gate mechanical.

---

📋 Chain status (operator's reminder — apr-25)

This PR sits in the middle of a dream-cli strict-mode chain:

#1008 (READY) ──▶ #998 (this — DRAFT) ──▶ #1002 (DRAFT)
                                     └──▶ #1018 (DRAFT)

Before this PR can be promoted:

• refactor(dream-cli): guard .env grep pipelines against pipefail kill on missing keys #1008 must merge first (the .env grep-pipeline guards above are load-bearing the moment set -eo pipefail lands here).

After this PR merges, the next operator step is:

1. Rebase refactor(dream-cli): enable set -u and add guards for conditional variables #1002 onto post-fix(dream-cli): pipefail + surface LLM failures + exit-code contract #998 main. The 6+ shared hunks (line 6 set-line, identical sub-hunks in cmd_chat/cmd_benchmark/cmd_disable/cmd_agent/_gpu_reassign, | head -1 → sed -n '1p' swaps) drop out automatically. What remains is refactor(dream-cli): enable set -u and add guards for conditional variables #1002's actual unique work: the -u flag and :- empty-string default guards.
2. Promote refactor(dream-cli): enable set -u and add guards for conditional variables #1002 from DRAFT → ready (gh pr ready 1002).
3. Same pattern for test(dream-cli): BATS regression shield for 5 dream-cli / supporting behaviors #1018 once its other deps (fix(dream-cli): schema-driven secret masking + macOS Bash 4 validation #994, fix(dashboard,dashboard-api): sentinel-based setup wizard success detection #1003, fix(dream-cli): Apple GPU output polish + compose wrapper SIGINT/zero-match #1016) have landed.

#1002 and #1018 are kept in DRAFT as a mechanical safeguard so they cannot merge before this one.

[Lightheartdevs]

Audit follow-up: keep draft / rebase on current main.

The focused pipefail guard from #1008 is now merged. This draft still needs to absorb or preserve that fix: _check_version_compat must tolerate a .env without DREAM_VERSION and fall back to .version/manifest.json instead of exiting under pipefail.

[yasinBursali]

Pushed audit follow-up — rebased onto current upstream/main, conflict resolved, audit-required || true preserved, 4-case regression test added, plus 3 latent split-local pipefail bombs fixed (CG follow-up).

Audit resolution:
The conflict in _check_version_compat was exactly the audit's target — branch's commit dfaa4c8f had stripped the || true from the DREAM_VERSION grep pipeline; current upstream/main (post-#1008) carries the audit-required tolerance. Conflict resolution kept upstream's || true form with an inline rationale comment citing #1008 + this audit so a future "cleanup" reviewer cannot remove it without context.

_COMPAT_INSTALLED_VER=$(grep '^DREAM_VERSION=' "$INSTALL_DIR/.env" 2>/dev/null \
    | sed -n '1p' | cut -d= -f2 | tr -d '[:space:]' || true)

The .version and manifest.json fallback branches that follow are intact and reachable.

Regression test (9d7aa45e): tests/test-dream-cli-version-compat-pipefail.sh (4 cases, wired into make test):

• dream-cli runs under strict mode (precondition).
• DREAM_VERSION grep pipeline ends with || true (active code; comments stripped before grep so the rationale block alone can't satisfy the assertion).
• .version and manifest.json fallback branches present.
• Anti-regression: bare-close form (no trailing || true) does NOT appear.

Sabotage-validated: stripping || true from the pipeline makes cases 2 and 4 both fail.

CG follow-up (3ecbfe13): CG returned APPROVED WITH WARNINGS and flagged 3 latent split-local pipelines now fragile under the pipefail flip:

• cmd_status reading bootstrap-status.json (lines 647/650/651) — could abort dream status mid-output on a partial/mid-write JSON.
• cmd_preset list reading meta.txt (lines 1954/1955) — a single malformed preset would abort the listing of all subsequent ones.
• cmd_chat jq-fallback (line 1279, newly added in 61be91b0) — unparseable LLM JSON would silently abort instead of reaching the friendly LLM error: ${_err:-unparseable response}.

All 3 sites now have || true with inline rationale comments. Sites #1 and #2 are pre-existing code newly exposed by this PR's pipefail flip; site #3 is new code from this PR.

make lint green, make test green (including the new pipefail-tolerance regression).

Promoting from draft.