update install: defer to external supervisor (systemd) instead of spawning a competing detached daemon

[Rinse12]

Problem

bitsocial update install (default --restart-daemons) restarts the daemon by stopping it and spawn(\"bitsocial\", [\"daemon\", ...], { detached: true }) — a process no supervisor owns. On a host where the daemon is managed by systemd, this detached daemon competes with systemd for the PKC RPC port (ws://localhost:9138). systemd's own bitsocial.service then can never bind, exits with "PKC RPC port is already in use", and Restart=on-failure restarts it forever — an infinite crash loop that churns daemon log files (capacity 5) every few seconds.

Root cause

src/cli/commands/update/install.ts has no notion of who supervises the daemon, so it always tears it down and re-spawns it itself, escaping systemd.

Fix

Make update install supervisor-aware, keyed off the daemon's own state file:

1. Daemon records its supervisor at startup (src/cli/commands/daemon.ts + src/common-utils/daemon-state.ts). systemd sets \$INVOCATION_ID for every service it spawns; the unit name is parsed from /proc/self/cgroup. Stored as supervisor?: { type: \"systemd\"; unit: string } on DaemonState (absent ⇒ unsupervised/standalone/legacy).
2. update install routes each daemon by supervisor:
   • Supervised ⇒ don't pre-stop, don't detached-spawn; swap the binary, then systemctl restart <unit> (systemd owns the new process, no port race — systemd waits for the whole cgroup, including kubo, to exit before restart).
   • Unsupervised ⇒ current behavior unchanged (SIGINT + wait + detached spawn).
   • Legacy daemons (no supervisor field, started before this change) ⇒ fall back to inferring the unit from /proc/<pid>/cgroup.
3. Off-Linux / no /proc ⇒ falls back to current behavior (zero regression).

Tests

• Pure cgroup parser: system.slice/bitsocial.service ⇒ unit; user.slice/.../session-NN.scope ⇒ none; cgroup v1 multi-line; templated foo@1.service; missing file.
• detectSelfSupervisor: no INVOCATION_ID ⇒ none; set + service cgroup ⇒ unit; set + scope cgroup ⇒ none.
• resolveDaemonSupervisor: state field wins; legacy fallback to cgroup.
• Restart routing (injectable lifecycle): supervised ⇒ restartManaged (systemctl), never detached spawn / pre-stop; unsupervised ⇒ stop + detached spawn; mixed ⇒ both; dedup per unit.
• State round-trip preserves supervisor.

Notes

A StartLimit guardrail on the unit (caps the loop) was considered and explicitly declined in favor of fixing the root cause in the CLI.

[Rinse12]

Implemented and tested.

Changes

• `src/common-utils/daemon-state.ts`: added `DaemonSupervisor` + `supervisor?` on `DaemonState`; `parseSystemdUnitFromCgroup` (pure), `readSystemdUnit`, `detectSelfSupervisor` (env + cgroup, injectable), `resolveDaemonSupervisor` (state field, cgroup fallback for legacy daemons).
• `src/cli/commands/daemon.ts`: records the supervisor at startup via `detectSelfSupervisor()`.
• `src/update/restart-orchestration.ts` (new): pure, injectable routing — `planDaemonRestarts`, `stopUnmanagedDaemons`, `startUnmanagedDaemons`, `restartManagedDaemons` (deduped per unit).
• `src/update/systemctl.ts` (new): injectable `systemctlRestart(unit)`.
• `src/cli/commands/update/install.ts`: partitions daemons by supervisor — unsupervised keep today's SIGINT + detached-respawn; supervised are left running across the swap and restarted via `systemctl restart `. Legacy daemons (no field) fall back to cgroup inference. Off-Linux falls back to current behavior.

Tests (26, all green)

• `test/common-utils/daemon-supervisor.test.ts` (15): cgroup parser cases (v2/v1/scope/templated/root/empty), `detectSelfSupervisor` env gating, `resolveDaemonSupervisor` field-vs-cgroup, state round-trip of the field.
• `test/update/restart-orchestration.test.ts` (7): partitioning, stop/start only unsupervised, restart supervised via supervisor, dedup, and the invariant that a supervised daemon is never stopped/detached-spawned.
• `test/update/systemctl.test.ts` (2): exact `systemctl restart ` command + error propagation.
• `test/cli/update-install-systemd-aware.test.ts` (E2E): a systemd-marked daemon survives `update install` and is never detached-spawned. Verified red against the old code (it SIGINTs the supervised daemon) and green after the fix.
• Existing daemon: kubo restart races — concurrent keepKuboUp entries orphan kubo or hang shutdown (flaky "stops kubo when daemon exits during a restart cycle") #70 unmanaged-restart E2E still passes (refactor preserved that path).

The systemctl-restart-after-real-install path can't be E2E'd without hitting npm (installGlobal spawns `node npm-cli.js install -g` by absolute path), so it's covered by the orchestration + systemctl unit tests plus the wiring in install.ts.

Full `npm run test:cli` running now.