refactor: remove symlink farm, use real HOME for Claude

The full-home symlink mirror was fragile — hundreds of symlinks, cross-device
failures, race conditions on cleanup. Replace with the right model per provider:

- Claude (-p flag): runs with real HOME. No local session state is written in
  print mode; auth lives naturally in ~/.claude; server-side UUIDs mean parallel
  sessions don't conflict. Isolated home was never necessary.

- Gemini/Codex: keep the minimal per-project persistent home — small, stable,
  not a symlink farm. Temp fallback kept but reverted to the simple form
  (provider dir + .gitconfig + .ssh only).

- Mistral: already correct — sets VIBE_HOME only, HOME untouched.

setupIsolatedHome is now explicitly scoped to providers that store session
state locally and need parallel-session isolation. Its docstring calls this out.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: rafiki270

src/providers/claude.ts

@@ -4,7 +4,7 @@
  */
 
 import { spawn } from 'node:child_process';
-import { writeFileSync, unlinkSync, existsSync, rmSync } from 'node:fs';
+import { writeFileSync, unlinkSync, existsSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import {
@@ -232,12 +232,10 @@ export class ClaudeProvider extends BaseAIProvider {
       }
     }
 
-    // Set up isolated HOME
-    // ~/.claude.json lives at HOME root (not inside ~/.claude/) and holds onboarding/machine state.
-    // Without it, Claude Code shows a toolchain/onboarding prompt on every invocation, which hangs
-    // since stdin is closed.
-    const isolatedHome = this.setupIsolatedHome('.claude', ['config.json', '.credentials.json', 'settings.json'], undefined, ['.claude.json']);
-
+    // Claude runs with the real HOME — no isolated home needed.
+    // In -p (print) mode it does not write interactive history, and auth/config
+    // files are naturally present in the real home. Each session has a server-side
+    // UUID so parallel sessions don't conflict on local state.
     return new Promise((resolve, reject) => {
       const startTime = Date.now();
       let stdout = '';
@@ -257,10 +255,7 @@ export class ClaudeProvider extends BaseAIProvider {
       const child = spawn(command, {
         shell: true,
         cwd,
-        env: this.getSanitizedCliEnv({
-          HOME: isolatedHome,
-          ...proxyOverrides,
-        }),
+        env: this.getSanitizedCliEnv({ ...proxyOverrides }),
         stdio: ['pipe', 'pipe', 'pipe'],
       });
 
@@ -348,13 +343,6 @@ export class ClaudeProvider extends BaseAIProvider {
         clearTimeout(activityTimer);
         const duration = Date.now() - startTime;
 
-        // Cleanup isolated home
-        try {
-          rmSync(isolatedHome, { recursive: true, force: true });
-        } catch {
-          // Ignore cleanup errors
-        }
-
         const outputStr = (stdout + '\n' + stderr).toLowerCase();
         if (code !== 0 && resumeSessionId && (
           !outputStr.trim() || // No output = session file missing (e.g. isolated home was cleaned up)
@@ -382,13 +370,6 @@ export class ClaudeProvider extends BaseAIProvider {
         clearTimeout(activityTimer);
         const duration = Date.now() - startTime;
 
-        // Cleanup isolated home
-        try {
-          rmSync(isolatedHome, { recursive: true, force: true });
-        } catch {
-          // Ignore cleanup errors
-        }
-
         resolve({
           success: false,
           exitCode: 1,

src/providers/interface.ts

@@ -1,4 +1,4 @@
-import { existsSync, mkdirSync, readdirSync, readFileSync, symlinkSync, writeFileSync } from 'node:fs';
+import { existsSync, mkdirSync, readFileSync, symlinkSync, writeFileSync } from 'node:fs';
 import { homedir, tmpdir } from 'node:os';
 import { join, dirname } from 'node:path';
 import { randomUUID } from 'node:crypto';
@@ -363,24 +363,21 @@ export abstract class BaseAIProvider implements IAIProvider {
   }
 
   /**
-   * Set up an isolated home directory for a provider CLI.
+   * Set up a minimal isolated home directory for a provider CLI.
    *
-   * For temp homes (baseDir not provided): mirrors the entire real home top-level
-   * into the isolated dir via symlinks, then replaces only `providerDir` with a real
-   * isolated directory containing auth-file symlinks. This gives the spawned process
-   * access to all user dotfiles, tools, configs, and credentials without needing an
-   * explicit allowlist, while keeping provider session state isolated between parallel
-   * invocations.
+   * Only used by providers that store session state locally and need isolation
+   * between parallel invocations (Gemini, Codex). Providers that don't write
+   * local session state (Claude with -p flag, Mistral via VIBE_HOME) should
+   * NOT use this — they should run with the real HOME or a targeted env var.
    *
-   * For persistent homes (baseDir provided, e.g. Gemini's per-project home): only
-   * creates the provider dir + auth symlinks, plus a small set of essential files.
-   * We don't full-mirror into persistent homes because they live inside project dirs
-   * and should not be filled with real-home symlinks.
+   * Creates a minimal dir with:
+   *  - an isolated providerDir containing only auth-file symlinks
+   *  - symlinks for .gitconfig, .ssh, and any extra rootFiles
    *
-   * @param providerDir Provider-specific config/state dir (e.g. '.claude', '.config/gcloud')
+   * @param providerDir Provider-specific config/state dir (e.g. '.gemini', '.config/gcloud')
    * @param authFiles Auth/config filenames to symlink into the isolated providerDir
-   * @param baseDir Optional pre-existing dir to use instead of creating a temp one
-   * @param rootFiles Extra HOME-root files to symlink for persistent homes (ignored for temp homes)
+   * @param baseDir Optional pre-existing dir to use (e.g. per-project persistent home)
+   * @param rootFiles Extra HOME-root files to symlink (e.g. ['.npmrc'])
    */
   protected setupIsolatedHome(providerDir: string, authFiles: string[], baseDir?: string, rootFiles?: string[]): string {
     const uuid = randomUUID();
@@ -392,54 +389,13 @@ export abstract class BaseAIProvider implements IAIProvider {
         mkdirSync(isolatedHome, { recursive: true });
       }
 
-      // ── Temp home: mirror the real home ──────────────────────────────────────
-      // Symlink every top-level real-home entry except the provider dir (which we
-      // create as a real isolated dir below). For nested provider dirs like
-      // '.config/gcloud', the parent ('.config') is excluded from the mirror and
-      // rebuilt with its own contents minus the specific subdir.
-      if (!baseDir) {
-        const topProviderDir = providerDir.split('/')[0];
-
-        try {
-          for (const entry of readdirSync(realHome)) {
-            if (entry === topProviderDir) continue; // handled separately below
-            const src = join(realHome, entry);
-            const dest = join(isolatedHome, entry);
-            if (!existsSync(dest)) {
-              try { symlinkSync(src, dest); } catch { /* best effort */ }
-            }
-          }
-        } catch { /* best effort — don't abort if real home listing fails */ }
-
-        // For nested paths (e.g. '.config/gcloud'): create the parent dir as a real
-        // dir and symlink everything from the real parent except the specific subdir.
-        const isNested = providerDir.includes('/');
-        if (isNested) {
-          const subDir = providerDir.slice(topProviderDir.length + 1);
-          const realParentPath = join(realHome, topProviderDir);
-          const isolatedParentPath = join(isolatedHome, topProviderDir);
-          mkdirSync(isolatedParentPath, { recursive: true });
-          if (existsSync(realParentPath)) {
-            try {
-              for (const entry of readdirSync(realParentPath)) {
-                if (entry === subDir) continue;
-                const src = join(realParentPath, entry);
-                const dest = join(isolatedParentPath, entry);
-                if (!existsSync(dest)) {
-                  try { symlinkSync(src, dest); } catch { /* best effort */ }
-                }
-              }
-            } catch { /* best effort */ }
-          }
-        }
-      }
-
-      // ── Create isolated provider dir with auth-file symlinks ─────────────────
+      // Create isolated provider dir with auth-file symlinks
       const realProviderPath = join(realHome, providerDir);
       const isolatedProviderPath = join(isolatedHome, providerDir);
-      mkdirSync(isolatedProviderPath, { recursive: true });
 
       if (existsSync(realProviderPath)) {
+        mkdirSync(isolatedProviderPath, { recursive: true });
+
         for (const file of authFiles) {
           const src = join(realProviderPath, file);
           const dest = join(isolatedProviderPath, file);
@@ -458,18 +414,14 @@ export abstract class BaseAIProvider implements IAIProvider {
         }
       }
 
-      // ── Persistent home: explicit essential symlinks ──────────────────────────
-      // The full-mirror doesn't apply to persistent homes, so add the minimum
-      // required files explicitly.
-      if (baseDir) {
-        [...(rootFiles ?? []), '.gitconfig', '.ssh'].forEach(file => {
-          const src = join(realHome, file);
-          const dest = join(isolatedHome, file);
-          if (existsSync(src) && !existsSync(dest)) {
-            try { symlinkSync(src, dest); } catch { /* best effort */ }
-          }
-        });
-      }
+      // Essential HOME-root symlinks so git and SSH work from the isolated home
+      [...(rootFiles ?? []), '.gitconfig', '.ssh'].forEach(file => {
+        const src = join(realHome, file);
+        const dest = join(isolatedHome, file);
+        if (existsSync(src) && !existsSync(dest)) {
+          try { symlinkSync(src, dest); } catch { /* best effort */ }
+        }
+      });
 
     } catch (e) {
       console.warn(`Failed to set up isolated ${this.name} home: ${e}`);