fix varlock() prompt write-back and daemon spawn race conditions

- Fix regex in writeBackEncryptedValue to match any varlock() call, not just
  varlock(prompt), so prompt=1 works when a value already exists
- Use singleton DaemonClient in prompt path to avoid redundant spawn attempts
- Handle cross-process daemon spawn race by retrying connect on spawn failure

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: theoephraim

packages/varlock/src/lib/local-encrypt/builtin-resolver.ts

@@ -29,7 +29,7 @@ type VarlockResolverState = {
 function writeBackEncryptedValue(itemKey: string, ciphertext: string, sourceFilePath: string | undefined) {
   if (!sourceFilePath) return;
   const currentContents = fs.readFileSync(sourceFilePath, 'utf-8');
-  const pattern = new RegExp(`^(${escapeRegExp(itemKey)}\\s*=\\s*)varlock\\(prompt(?:=\\S*)?\\)`, 'm');
+  const pattern = new RegExp(`^(${escapeRegExp(itemKey)}\\s*=\\s*)varlock\\([^)]*\\)`, 'm');
   const prefixedCiphertext = `${LOCAL_PREFIX}${ciphertext}`;
   const updatedContents = currentContents.replace(pattern, `$1varlock("${prefixedCiphertext}")`);
   if (updatedContents !== currentContents) {
@@ -105,8 +105,7 @@ export const VarlockResolver: typeof Resolver = createResolver<VarlockResolverSt
 
     // Use daemon's native dialog on macOS Secure Enclave
     if (backend.type === 'secure-enclave' && backend.biometricAvailable) {
-      const { DaemonClient } = await import('./daemon-client');
-      const client = new DaemonClient();
+      const client = localEncrypt.getDaemonClient();
       const ciphertext = await client.promptSecret({
         itemKey,
         message: `Enter the secret value for ${itemKey}:`,

packages/varlock/src/lib/local-encrypt/daemon-client.ts

@@ -84,7 +84,15 @@ export class DaemonClient {
       // Daemon not running, spawn it
     }
 
-    await this.spawnDaemon();
+    try {
+      await this.spawnDaemon();
+    } catch {
+      // Another process may have won the race to spawn the daemon.
+      // Wait briefly for it to be ready, then try connecting.
+      await new Promise<void>((r) => {
+        setTimeout(r, 1000);
+      });
+    }
     await this.connectToSocket(socketPath);
   }
 

packages/varlock/src/lib/local-encrypt/index.ts

@@ -157,7 +157,7 @@ export function getBackendInfo(): BackendInfo {
 
 let daemonClient: DaemonClient | undefined;
 
-function getDaemonClient(): DaemonClient {
+export function getDaemonClient(): DaemonClient {
   daemonClient ||= new DaemonClient();
   return daemonClient;
 }