fix: patch 7 critical bugs affecting all non-dev-machine users and Windows

1. Fix esbuild inlining build-machine __dirname as string literal — use
   CJS-compatible runtime banner with require("node:url").fileURLToPath
   across worker-service, mcp-server, and context-generator builds.

2. Fix isMainModule check missing .cjs extension and Windows backslash
   path normalization.

3. Wrap extractLastMessage in try-catch to prevent infinite Stop hook
   feedback loop on malformed transcripts (exit 0 instead of exit 2).

4. Replace heavy SessionEnd hook (Node→Bun→1.7MB CJS→HTTP) with
   lightweight inline node -e one-liner (~200ms vs >1s).

5. Add 7 Gemini/OpenRouter error patterns to unrecoverablePatterns
   circuit breaker to prevent 77K+ retry loops on expired API keys.

6. Preserve CLAUDE_CODE_OAUTH_TOKEN and CLAUDE_CODE_GIT_BASH_PATH in
   sanitizeEnv instead of stripping them with the CLAUDE_CODE_ prefix.

7. Use PowerShell -EncodedCommand for spawnDaemon to fix path quoting
   when Windows usernames contain spaces.

Closes #1515, #1495, #1475, #1465, #1500, #1513, #1512, #1450, #1460,
#1486, #1449, #1481, #1451, #1480, #1453, #1445

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

tests/supervisor/env-sanitizer.test.ts

@@ -14,7 +14,7 @@ describe('sanitizeEnv', () => {
     expect(result.PATH).toBe('/usr/bin');
   });
 
-  it('strips variables with CLAUDE_CODE_ prefix', () => {
+  it('strips variables with CLAUDE_CODE_ prefix but preserves allowed ones', () => {
     const result = sanitizeEnv({
       CLAUDE_CODE_BAR: 'baz',
       CLAUDE_CODE_OAUTH_TOKEN: 'token',
@@ -22,7 +22,7 @@ describe('sanitizeEnv', () => {
     });
 
     expect(result.CLAUDE_CODE_BAR).toBeUndefined();
-    expect(result.CLAUDE_CODE_OAUTH_TOKEN).toBeUndefined();
+    expect(result.CLAUDE_CODE_OAUTH_TOKEN).toBe('token');
     expect(result.HOME).toBe('/home/user');
   });
 
@@ -115,9 +115,42 @@ describe('sanitizeEnv', () => {
     expect(result.CLAUDECODE).toBeUndefined();
     expect(result.CLAUDECODE_FOO).toBeUndefined();
     expect(result.CLAUDE_CODE_BAR).toBeUndefined();
-    expect(result.CLAUDE_CODE_OAUTH_TOKEN).toBeUndefined();
+    expect(result.CLAUDE_CODE_OAUTH_TOKEN).toBe('oauth-token');
     expect(result.CLAUDE_CODE_SESSION).toBeUndefined();
     expect(result.CLAUDE_CODE_ENTRYPOINT).toBeUndefined();
     expect(result.MCP_SESSION_ID).toBeUndefined();
   });
+
+  it('preserves CLAUDE_CODE_GIT_BASH_PATH through sanitization', () => {
+    const result = sanitizeEnv({
+      CLAUDE_CODE_GIT_BASH_PATH: 'C:\\Program Files\\Git\\bin\\bash.exe',
+      PATH: '/usr/bin',
+      HOME: '/home/user'
+    });
+
+    expect(result.CLAUDE_CODE_GIT_BASH_PATH).toBe('C:\\Program Files\\Git\\bin\\bash.exe');
+    expect(result.PATH).toBe('/usr/bin');
+    expect(result.HOME).toBe('/home/user');
+  });
+
+  it('selectively preserves only allowed CLAUDE_CODE_* vars while stripping others', () => {
+    const result = sanitizeEnv({
+      CLAUDE_CODE_OAUTH_TOKEN: 'my-oauth-token',
+      CLAUDE_CODE_GIT_BASH_PATH: '/usr/bin/bash',
+      CLAUDE_CODE_RANDOM_OTHER: 'should-be-stripped',
+      CLAUDE_CODE_INTERNAL_FLAG: 'should-be-stripped',
+      PATH: '/usr/bin'
+    });
+
+    // Preserved: explicitly allowed CLAUDE_CODE_* vars
+    expect(result.CLAUDE_CODE_OAUTH_TOKEN).toBe('my-oauth-token');
+    expect(result.CLAUDE_CODE_GIT_BASH_PATH).toBe('/usr/bin/bash');
+
+    // Stripped: all other CLAUDE_CODE_* vars
+    expect(result.CLAUDE_CODE_RANDOM_OTHER).toBeUndefined();
+    expect(result.CLAUDE_CODE_INTERNAL_FLAG).toBeUndefined();
+
+    // Preserved: normal env vars
+    expect(result.PATH).toBe('/usr/bin');
+  });
 });