fix(desktop): harden lifecycle robustness — external runner, evidence-based updates, unified teardown

- Extract Electron binary + frameworks to ~/.nexu/runtime/nexu-runner.app/ via
  APFS clone so launchd services never reference the .app bundle, unblocking
  Finder drag-and-drop reinstalls
- Extract controller sidecar to ~/.nexu/runtime/controller-sidecar/ for the
  same reason; openclaw sidecar already extracted by existing logic
- All three extractions use staging dir + atomic rename to prevent half-copies
- Version-aware attach: refuse to attach to services from a different app
  version, build source, userDataPath, or openclawStateDir
- Evidence-based update install: after process sweeps, lsof-check critical
  paths; only abort if .app bundle or sidecar dirs are actually locked
- Unified dev/packaged teardown: Cmd+Q, window close, and no-window exit
  all go through teardownLaunchdServices in both modes
- daemon-supervisor circuit breaker: MAX_CONSECUTIVE_RESTARTS=10 with
  120s window, emits max_restarts_exceeded reason code
- bootoutService tolerates "already gone" errors
- runtime-ports.json atomic write (tmp + rename)
- Tighter orphan cleanup: prefer launchd label + runtime-ports metadata,
  fall back to pgrep with node.* prefix and process tree exclusion

Author: lefarcen

apps/desktop/main/index.ts

@@ -546,7 +546,11 @@ async function runLaunchdColdStart(): Promise<void> {
   logColdStart("starting launchd bootstrap");
 
   const isDev = !app.isPackaged;
-  const paths = resolveLaunchdPaths(app.isPackaged, electronRoot);
+  const paths = await resolveLaunchdPaths(
+    app.isPackaged,
+    electronRoot,
+    app.getVersion(),
+  );
 
   const nexuHome = runtimeConfig.paths.nexuHome.replace(
     /^~/,
@@ -620,6 +624,11 @@ async function runLaunchdColdStart(): Promise<void> {
     openclawExtensionsDir,
     skillNodePath,
     openclawTmpDir,
+    appVersion: app.getVersion(),
+    userDataPath: app.getPath("userData"),
+    buildSource:
+      process.env.NEXU_DESKTOP_BUILD_SOURCE ??
+      (app.isPackaged ? "packaged" : "local-dev"),
   });
 
   // Wire launchd-managed units into the orchestrator so the control plane

apps/desktop/main/runtime/daemon-supervisor.ts

@@ -29,6 +29,11 @@ import type { RuntimeUnitManifest, RuntimeUnitRecord } from "./types";
 
 const LOG_TAIL_LIMIT = 200;
 const RECENT_EVENT_LIMIT = 500;
+
+/** Maximum consecutive auto-restart attempts before giving up. */
+const MAX_CONSECUTIVE_RESTARTS = 10;
+/** If the process ran longer than this before crashing, reset the restart counter. */
+const RESTART_WINDOW_MS = 120_000;
 let nextRuntimeLogEntryId = 0;
 let nextRuntimeActionId = 0;
 let nextRuntimeEventCursor = 0;
@@ -362,7 +367,30 @@ export class RuntimeOrchestrator {
       if (record.manifest.autoRestart === false) return;
       if (record.stoppedByUser) return;
 
+      // If the process ran longer than RESTART_WINDOW_MS, it was stable —
+      // reset the consecutive restart counter.
+      if (record.startedAt) {
+        const uptimeMs = Date.now() - new Date(record.startedAt).getTime();
+        if (uptimeMs > RESTART_WINDOW_MS) {
+          record.autoRestartAttempts = 0;
+        }
+      }
+
       record.autoRestartAttempts += 1;
+
+      // Circuit breaker: stop restarting after too many consecutive failures
+      if (record.autoRestartAttempts > MAX_CONSECUTIVE_RESTARTS) {
+        setRecordPhase(record, "failed");
+        record.lastError = `Exceeded ${MAX_CONSECUTIVE_RESTARTS} consecutive restart attempts`;
+        this.logStateChange(record, {
+          kind: "lifecycle",
+          actionId: ensureActionId(record, "auto-restart"),
+          reasonCode: "max_restarts_exceeded",
+          message: `auto-restart halted after ${record.autoRestartAttempts} consecutive failures within ${RESTART_WINDOW_MS}ms window`,
+        });
+        return;
+      }
+
       const delayMs = Math.min(
         2000 * 2 ** (record.autoRestartAttempts - 1),
         MAX_BACKOFF_MS,

apps/desktop/main/runtime/manifests.ts

@@ -188,17 +188,44 @@ export function ensurePackagedOpenclawSidecar(
     return extractedSidecarRoot;
   }
 
-  // Clean + extract with retries. Node's rmSync can silently fail on macOS
-  // (ENOTEMPTY race), so use rm -rf and verify deletion before proceeding.
+  // Atomic extraction via staging directory: extract to a temporary location,
+  // verify the critical entry point, then atomically swap into the final path.
+  // This prevents half-extracted directories if the process is killed mid-extract.
+  const stagingRoot = `${extractedSidecarRoot}.staging`;
   const MAX_RETRIES = 3;
+
+  // Clean up any leftover staging directory from a previous interrupted attempt
+  if (existsSync(stagingRoot)) {
+    execFileSync("rm", ["-rf", stagingRoot]);
+  }
+
   for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
     try {
+      if (existsSync(stagingRoot)) {
+        execFileSync("rm", ["-rf", stagingRoot]);
+      }
+      mkdirSync(stagingRoot, { recursive: true });
+      execFileSync("tar", ["-xzf", archivePath, "-C", stagingRoot]);
+
+      // Verify critical entry point exists in staging
+      const stagingEntry = path.resolve(
+        stagingRoot,
+        "node_modules/openclaw/openclaw.mjs",
+      );
+      if (!existsSync(stagingEntry)) {
+        throw new Error(
+          `Extraction verification failed: ${stagingEntry} not found`,
+        );
+      }
+
+      // Write stamp inside staging
+      writeFileSync(path.resolve(stagingRoot, ".archive-stamp"), archiveStamp);
+
+      // Atomic swap: remove old → rename staging to final
       if (existsSync(extractedSidecarRoot)) {
         execFileSync("rm", ["-rf", extractedSidecarRoot]);
       }
-      mkdirSync(extractedSidecarRoot, { recursive: true });
-      execFileSync("tar", ["-xzf", archivePath, "-C", extractedSidecarRoot]);
-      writeFileSync(stampPath, archiveStamp);
+      execFileSync("mv", [stagingRoot, extractedSidecarRoot]);
       break;
     } catch (err) {
       if (attempt === MAX_RETRIES - 1) throw err;

apps/desktop/main/services/index.ts

@@ -18,6 +18,7 @@ export {
 
 export {
   bootstrapWithLaunchd,
+  checkCriticalPathsLocked,
   stopAllServices,
   teardownLaunchdServices,
   ensureNexuProcessesDead,