refactor(arch): close DI, import-boundary and lifecycle gaps

[charlesvien]

Problem

A review of the architecture post package split surfaced a set of gaps where apps/code and the portable packages had drifted from this repo's own stated rules: portable core/ui, strongly-typed DI, a thin host, one-line tRPC forwards. None of these are structural redesigns. They are the codebase not yet matching its own architecture doc.

Changes

DI token safety and import boundaries

• Remove the forbidden Object.freeze token bags MAIN_TOKENS, RENDERER_TOKENS (apps/code) and TOKENS (workspace-server); use the standalone Symbol.for(...) consts at every call site so TypedContainer<BindingMap> actually type-checks get/bind.
• biome.jsonc: drop the !@posthog/core negations that allowed import cycles back into api-client, workspace-client and platform; block core, workspace-client and host-router from workspace-server.
• workspace-server/src/trpc.ts: replace the package-level container.get() service-locator with a createAppRouter(services) factory resolved in serve.ts (the composition seam). The container import is removed entirely so any missed closure is a compile error.
• GIT_DIFF_SOURCE binding uses the injector ctx.get() instead of the module-level container.

Lifecycle and composition root

• Move container.unbindAll() out of AppLifecycleService into the index.ts composition root via a beforeExit hook on gracefulExit, so the service no longer reaches for the global container.

State placement

• Move the session domain store into @posthog/core as a zustand/vanilla store; @posthog/ui keeps a thin React wrapper. The immer proxy-lifetime guards in the dequeue paths are preserved verbatim.
• Add a 5 minute TTL to SessionService.previewConfigOptionsCache so stale cloud model lists do not persist for the renderer lifetime.

Reliability and correctness

• WorkspaceServerService: supervised restart with exponential backoff and a max-attempts cap, a statusChanged event stream, and a renderer failure banner with retry.
• packages/agent: thread LLM gateway config explicitly (GatewayEnv) into the Claude subprocess env instead of mutating the shared global process.env, which clobbered config across concurrent sessions.
• clearApplicationStorage now clears the encrypted SecureStore alongside localStorage (previously encrypted settings survived a factory reset).
• AgentService.getOrCreateSession overloads remove the unreachable null return on the new-session path.

Also removes a redundant immer dependency added to core/package.json (immer already resolves via zustand's peer, and declaring it would break --frozen-lockfile).

How did you test this?

All run locally in the branch worktree:

• pnpm typecheck: 22/22 packages pass
• pnpm lint: clean
• pnpm test: apps/code 151, @posthog/core 1617, @posthog/ui 787, @posthog/agent 778 pass. @posthog/workspace-server 511 pass / 5 fail, the 5 being a pre-existing better-sqlite3 native-ABI mismatch (NODE_MODULE_VERSION 145 vs 147), unrelated to these changes.
• pnpm install --frozen-lockfile: consistent
• node scripts/check-host-boundaries.mjs: no new violations

Rewrote app-lifecycle/service.test.ts for the container-teardown move and added a beforeExit hook test. The session store move is covered by the existing sessionStore (10), sessionServiceHost (119) and recovery integration (7) suites.

Not yet covered by an automated test: the WorkspaceServerService restart supervisor (the service had no prior test file). Worth a follow-up.

Automatic notifications

• Publish to changelog?
• Alert Sales and Marketing teams?

[charlesvien]

• fix(desktop): renderer boot error boundary and electron hardening #2816
• refactor(arch): close DI, import-boundary and lifecycle gaps #2813 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

React Doctor found no issues in the changed files. 🎉

_{Reviewed by React Doctor for commit a43877f.}

[greptile-apps]

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
apps/code/src/renderer/components/Providers.tsx:79
**"Retry" button does nothing in the `failed` state**

`invalidateConnection()` only refetches the `workspaceServer.getConnection` query. When status is `"failed"` the workspace server process has exhausted all its auto-retry attempts and `wsServer.getConnection()` still returns `null`, so the refetch just returns `null` again and the banner persists. To actually restart the server, something must call `wsServer.start()` (with `restartAttempts` reset, as `stop()` does), which requires a new tRPC mutation or procedure — `invalidateConnection` does not trigger that path.

### Issue 2 of 2
packages/ui/src/utils/clearStorage.ts:19-30
**Always reloads even when server-side clear fails**

Previously, a failure in `clearAllData` showed an alert and did **not** reload — the user kept the app in its original state. With `Promise.allSettled`, the page always reloads regardless of whether either operation succeeded. If `folders.clearAllData` fails, the server-side folder registrations survive while `localStorage` is wiped, potentially leaving the app in an inconsistent state on reload (e.g., no locally-known folders but the server still has them). Errors are only logged to the console, so the user gets no indication that the clear was partial.

_{Reviews (1): Last reviewed commit: "tighten architecture boundaries and DI s..." | Re-trigger Greptile}

[stamphog]

Gates denied this PR: it matches the auth deny-list, exceeds size limits (2830 lines, 33 files), and is classified as a never-auto-approve tier due to its multi-area refactor scope. Additionally, there are unresolved bot comments raising substantive concerns about broken retry behavior and a behavior regression in clearStorage error handling.

[stamphog]

Gates denied this PR: it touches auth code, exceeds size limits at 2830 lines across 33 files, and is classified as a never-auto-approve multi-area refactor. There are also unresolved substantive bot comments about a broken retry button and a behavior regression in clearStorage error handling that need to be addressed.

[stamphog]

Gates denied this PR: it touches auth code, exceeds size limits (3014 lines, 34 files), and is classified as a never-auto-approve multi-area refactor. Two substantive bot-raised concerns remain: the "Retry" button doing nothing in the failed state, and a behavior regression in clearStorage that always reloads even when server-side clearing fails.

[stamphog]

Gates denied this PR: it touches auth code, exceeds size limits (3014 lines, 34 files), and is classified as a never-auto-approve multi-area refactor. Two substantive bot-raised concerns also remain unaddressed: the "Retry" button doing nothing in the failed state, and a behavior regression in clearStorage that always reloads even when server-side clearing fails.

[tatoalo]

here and in gateway-models.ts we are still reading process.env. ANTHROPIC_BASE_URL so we would break the model picker, we would need to thread it explicitly. Approving not to block but this needs to be addressed

[charlesvien]

Merge activity

• Jun 24, 12:58 AM UTC: @charlesvien merged this pull request with Graphite.