Addresses the four findings from the independent review of #793 (exact head
0e41a5c2). TDD: each fix's failing test was added first (18 new tests), then
the implementation; full mosaic suite 1098 green, three gates green.
1. nohup fallback async spawn error (correctness): spawn() reports ENOENT/EACCES
asynchronously via the child 'error' event, which the old try/catch could not
see -> an unhandled 'error' would crash the launcher, and it returned status 0
before the child had started. Extract startNohupProxy(): attach the 'error'
listener BEFORE unref(), resolve non-zero on async error/sync throw, and
resolve success only after a confirmed 'spawn'. startNohup dep is now async.
2. systemd start not socket-bound (correctness): `systemctl --user start` exit 0
means the job was accepted, not bound within one probe. ensureProxyRunning now
polls liveness to a bounded startupDeadlineMs after a start before falling
back, so a slow systemd bind can't trigger a second, contending proxy.
3. liveness trust (security, CWE-345): probeLiveness hit the root and trusted ANY
HTTP response, so a local port-squatter could be taken for the proxy and MITM
Claude traffic. Now probe the proxy-specific GET /healthz and require a 2xx.
This also resolves gotcha #1 (root returns non-2xx): /healthz returns 2xx when
healthy, so a live proxy is never mistaken for dead. (Upstream offers no unix
socket or shared-secret handshake; /healthz is the in-scope identity ceiling.)
4. systemd ExecStart injection (security, CWE-74): buildSystemdUnitContent
interpolated binaryPath raw, so a CR/LF could inject unit directives. Validate
the path (absolute, reject control chars) and systemd-quote it when it carries
whitespace/quotes; installSystemdUnit now refuses to write a poisoned unit.
Coverage on claudex-proxy.ts: 96.3% stmts/lines, 87.1% branch.
Refs #790
P1 of the `mosaic yolo claudex` launcher (#790): pure, dependency-injected
preflight and lifecycle helpers for `raine/claude-code-proxy` (the local
Anthropic->Codex translation proxy on 127.0.0.1:18765). No session launch yet;
the isolated CLAUDE_CONFIG_DIR composition + env-injection land in PR-2.
Authored test-first (spec written and run red before implementation, then
green). 39 unit tests, 89.6% statement/line coverage on the new module; the
only uncovered lines are the process-spawning system wrappers
(systemd/nohup/wait), which are integration glue unsuitable for unit spawning.
Helpers:
- checkProxyBinary — binary presence via an injectable `which` resolver.
- parseAuthStatus / checkAuthStatus — coarse OAuth state from
`codex auth status`. Carries NO token material (state + optional expiry only)
so token-shaped output can never leak downstream.
- runDeviceReauth — `codex auth device` with stdio:'inherit' so the device code
streams to the user's TTY; the launcher never captures/logs it or sees the
resulting token.
- probeLiveness — gotcha #1: ANY HTTP response (incl. non-2xx) = alive; only a
transport failure/timeout = dead. NEVER `curl -f` (that spawned duplicate
proxies). Bounded by an explicit timeout race so a hung socket can't wedge.
- buildSystemdUnitContent / systemdUnitPath / installSystemdUnit — systemd
--user unit management; unit carries no credential material.
- runProxyPreflight — structured binary+auth+liveness report.
- ensureProxyRunning — no-op when live, else systemd-preferred with nohup
fallback, re-probing after each attempt so it never spawns a duplicate.
Refs #790. Not part of the #758 fleet DAG.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>