@botcord/daemon 0.2.62 → 0.2.64

package/dist/acp-logs.d.ts

@@ -1,5 +1,5 @@
 import type { LogFileEntry } from "./log.js";
-export type AcpTraceStream = "child_start" | "child_exit" | "child_error" | "stderr" | "stdout_non_json" | "rpc_in" | "rpc_out";
+export type AcpTraceStream = "child_start" | "child_exit" | "child_error" | "stderr" | "stdout_non_json" | "turn_context" | "rpc_in" | "rpc_out";
 export interface AcpTraceMeta {
     runtime: string;
     accountId?: string;
@@ -13,6 +13,10 @@ export interface AcpTraceMeta {
 }
 export interface AcpTraceEvent {
     stream: AcpTraceStream;
+    turnId?: string;
+    messageId?: string;
+    roomId?: string;
+    topicId?: string | null;
     direction?: "in" | "out";
     pid?: number;
     id?: number | string;

package/dist/acp-logs.js

@@ -64,9 +64,10 @@ function writeAcpTrace(file, meta, event, verbose) {
             ts: new Date().toISOString(),
             runtime: meta.runtime,
             accountId: meta.accountId,
-            turnId: meta.turnId,
-            roomId: meta.roomId,
-            topicId: meta.topicId ?? undefined,
+            turnId: event.turnId ?? meta.turnId,
+            messageId: event.messageId,
+            roomId: event.roomId ?? meta.roomId,
+            topicId: event.topicId ?? meta.topicId ?? undefined,
             gatewayName: meta.gatewayName,
             gatewayUrl: meta.gatewayUrl,
             hermesProfile: meta.hermesProfile,

package/dist/config.d.ts

@@ -139,7 +139,7 @@ export interface DaemonConfig {
     streamBlocks: boolean;
     /**
      * Persistent transcript-logging settings (design §3 / §6). Defaults to
-     * disabled — see `BOTCORD_TRANSCRIPT` for env-driven temporary overrides.
+     * enabled — see `BOTCORD_TRANSCRIPT` for env-driven temporary overrides.
      */
     transcript?: TranscriptConfig;
     /**
@@ -162,8 +162,8 @@ export interface DaemonConfig {
     thirdPartyGateways?: ThirdPartyGatewayProfile[];
 }
 /**
- * Persistent transcript settings (design §6). Default-off — `botcord-daemon
- * transcript enable` flips `enabled` and `transcript disable` flips it back.
+ * Persistent transcript settings (design §6). Default-on — `botcord-daemon
+ * transcript disable` sets `enabled=false`, and `transcript enable` flips it back.
  * The env var `BOTCORD_TRANSCRIPT` can override at boot.
  */
 export interface TranscriptConfig {

package/dist/control-channel.d.ts

@@ -73,6 +73,7 @@ export declare class ControlChannel {
     private readonly seenFrameIds;
     private connectInflight;
     private connected;
+    private connectionSeq;
     constructor(opts: ControlChannelOptions);
     /** True once the initial WS handshake succeeded. Flipped back on close. */
     get isConnected(): boolean;

package/dist/control-channel.js

@@ -12,6 +12,7 @@ import { log as daemonLog } from "./log.js";
 import { AuthRefreshRejectedError, writeAuthExpiredFlag, } from "./user-auth.js";
 /** Exponential backoff plan for transient disconnects. */
 const RECONNECT_BACKOFF_MS = [1000, 2000, 4000, 8000, 16000, 30000];
+const RECONNECT_JITTER_RATIO = 0.25;
 /**
  * Keepalive cadence. Has to stay below the smallest idle-timeout in any
  * intermediary on the daemon → Hub WS path. Cloudflare and AWS ALB both
@@ -38,6 +39,10 @@ export function controlSigningInput(frame) {
     };
     return jcsCanonicalize(obj) ?? "{}";
 }
+function withReconnectJitter(delayMs) {
+    const jitterMs = Math.floor(Math.random() * delayMs * RECONNECT_JITTER_RATIO);
+    return { delayMs: delayMs + jitterMs, jitterMs };
+}
 /**
  * Long-lived, self-healing WS connection that carries control frames
  * between the Hub and the local daemon. Owns reconnect/backoff and
@@ -60,6 +65,7 @@ export class ControlChannel {
     seenFrameIds = [];
     connectInflight = null;
     connected = false;
+    connectionSeq = 0;
     constructor(opts) {
         this.auth = opts.auth;
         this.handle = opts.handle;
@@ -170,9 +176,22 @@ export class ControlChannel {
         const record = this.auth.current;
         if (!record)
             throw new Error("control-channel: no user-auth");
+        const current = this.ws;
+        if (current &&
+            (current.readyState === WebSocket.CONNECTING || current.readyState === WebSocket.OPEN)) {
+            daemonLog.debug("control-channel connect skipped (socket already active)", {
+                readyState: current.readyState,
+            });
+            return;
+        }
+        if (this.reconnectTimer) {
+            clearTimeout(this.reconnectTimer);
+            this.reconnectTimer = null;
+        }
         const accessToken = await this.auth.ensureAccessToken();
         const url = buildDaemonWebSocketUrl(record.hubUrl, this.path, this.label ? { label: this.label } : undefined);
         daemonLog.info("control-channel connecting", { url });
+        const connectionId = ++this.connectionSeq;
         const ws = new this.webSocketCtor(url, {
             headers: { Authorization: `Bearer ${accessToken}` },
         });
@@ -180,6 +199,16 @@ export class ControlChannel {
         await new Promise((resolve, reject) => {
             const onOpen = () => {
                 ws.removeListener("error", onError);
+                if (this.stopRequested || this.ws !== ws || connectionId !== this.connectionSeq) {
+                    try {
+                        ws.close(1000, "stale control-channel connection");
+                    }
+                    catch {
+                        // ignore
+                    }
+                    resolve();
+                    return;
+                }
                 this.connected = true;
                 this.reconnectAttempts = 0;
                 daemonLog.info("control-channel connected", { url });
@@ -188,13 +217,21 @@ export class ControlChannel {
             };
             const onError = (err) => {
                 ws.removeListener("open", onOpen);
+                if (this.ws !== ws || connectionId !== this.connectionSeq) {
+                    resolve();
+                    return;
+                }
                 reject(err);
             };
             ws.once("open", onOpen);
             ws.once("error", onError);
         });
-        ws.on("message", (data) => this.onMessage(data));
-        ws.on("close", (code, reason) => this.onClose(code, reason));
+        ws.on("message", (data) => {
+            if (this.ws !== ws || connectionId !== this.connectionSeq)
+                return;
+            void this.onMessage(data);
+        });
+        ws.on("close", (code, reason) => this.onClose(code, reason, ws, connectionId));
         ws.on("error", (err) => daemonLog.warn("control-channel error", {
             error: err instanceof Error ? err.message : String(err),
         }));
@@ -231,8 +268,12 @@ export class ControlChannel {
             this.keepaliveTimer = null;
         }
     }
-    onClose(code, reason) {
+    onClose(code, reason, ws, connectionId) {
         const reasonText = reason?.toString() || "";
+        if (ws && (this.ws !== ws || connectionId !== this.connectionSeq)) {
+            daemonLog.debug("control-channel stale close ignored", { code, reason: reasonText });
+            return;
+        }
         this.connected = false;
         this.stopKeepalive();
         this.ws = null;
@@ -252,6 +293,13 @@ export class ControlChannel {
     scheduleReconnect(err) {
         if (this.stopRequested)
             return;
+        if (this.reconnectTimer)
+            return;
+        const current = this.ws;
+        if (current &&
+            (current.readyState === WebSocket.CONNECTING || current.readyState === WebSocket.OPEN)) {
+            return;
+        }
         if (err instanceof AuthRefreshRejectedError) {
             this.stopRequested = true;
             daemonLog.warn("control-channel: refresh rejected; halting reconnect (re-login required)", {
@@ -261,22 +309,25 @@ export class ControlChannel {
         }
         const attempt = this.reconnectAttempts;
         this.reconnectAttempts = attempt + 1;
-        const delay = this.backoff[Math.min(attempt, this.backoff.length - 1)];
+        const baseDelayMs = this.backoff[Math.min(attempt, this.backoff.length - 1)];
+        const { delayMs, jitterMs } = withReconnectJitter(baseDelayMs);
         if (err) {
             daemonLog.warn("control-channel reconnect scheduled", {
-                delayMs: delay,
+                delayMs,
+                baseDelayMs,
+                jitterMs,
                 error: err instanceof Error ? err.message : String(err),
             });
         }
         else {
-            daemonLog.info("control-channel reconnect scheduled", { delayMs: delay });
+            daemonLog.info("control-channel reconnect scheduled", { delayMs, baseDelayMs, jitterMs });
         }
         this.reconnectTimer = setTimeout(() => {
             this.reconnectTimer = null;
             if (this.stopRequested)
                 return;
             this.connect().catch((err) => this.scheduleReconnect(err));
-        }, delay);
+        }, delayMs);
     }
     async onMessage(data) {
         let frame;

package/dist/daemon.js

@@ -367,7 +367,7 @@ export async function startDaemon(opts) {
         composeUserTurn: composeBotCordUserTurn,
         attentionGate,
         resolveHubUrl,
-        transcriptEnabled: resolveTranscriptEnabled(process.env.BOTCORD_TRANSCRIPT, opts.config.transcript?.enabled === true),
+        transcriptEnabled: resolveTranscriptEnabled(process.env.BOTCORD_TRANSCRIPT, opts.config.transcript?.enabled),
     });
     logger.info("daemon starting", {
         agents: agentIds,

package/dist/diagnostics.d.ts

@@ -5,6 +5,7 @@ export interface CreateDiagnosticBundleOptions {
     logFile?: string;
     configFile?: string;
     snapshotFile?: string;
+    sessionsFile?: string;
     doctor?: {
         text: string;
         json: unknown;

package/dist/diagnostics.js

@@ -1,12 +1,15 @@
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { existsSync, mkdirSync, readdirSync, readFileSync, statSync, writeFileSync } from "node:fs";
 import { homedir, hostname, platform, release, arch } from "node:os";
 import path from "node:path";
 import { Buffer } from "node:buffer";
+import { createRequire } from "node:module";
+import { fileURLToPath } from "node:url";
 import { deflateRawSync } from "node:zlib";
 import { AUTH_EXPIRED_FLAG_PATH, USER_AUTH_PATH, } from "./user-auth.js";
-import { CONFIG_FILE_PATH, PID_PATH, SNAPSHOT_PATH, loadConfig, saveConfig, } from "./config.js";
+import { CONFIG_FILE_PATH, PID_PATH, SESSIONS_PATH, SNAPSHOT_PATH, loadConfig, saveConfig, } from "./config.js";
 import { listDaemonLogFiles, LOG_FILE_PATH } from "./log.js";
 import { listAcpTraceLogFiles, listRuntimeLogFiles } from "./acp-logs.js";
+import { defaultTranscriptRoot } from "./gateway/transcript.js";
 import { channelsFromDaemonConfig, defaultHttpFetcher, renderDoctor, runDoctor, } from "./doctor.js";
 import { detectRuntimes } from "./adapters/runtimes.js";
 import { log as daemonLog } from "./log.js";
@@ -14,6 +17,27 @@ import { discoverLocalOpenclawGateways, mergeOpenclawGateways, openclawDiscovery
 const DIAGNOSTICS_DIR = path.join(homedir(), ".botcord", "diagnostics");
 const MAX_UPLOAD_BYTES = 50 * 1024 * 1024;
 const DEFAULT_ROTATED_LOGS_IN_BUNDLE = 5;
+const require = createRequire(import.meta.url);
+const MODULE_PATH = fileURLToPath(import.meta.url);
+const ENV_ALLOWLIST = new Set([
+    "NODE_ENV",
+    "PATH",
+    "BOTCORD_HUB",
+    "BOTCORD_DAEMON_HOME",
+    "BOTCORD_DAEMON_CONFIG",
+    "BOTCORD_DAEMON_LOG",
+    "BOTCORD_DAEMON_SNAPSHOT_INTERVAL_MS",
+    "BOTCORD_HERMES_AGENT_BIN",
+    "BOTCORD_CLAUDE_CODE_BIN",
+    "BOTCORD_CODEX_BIN",
+    "BOTCORD_GEMINI_BIN",
+    "BOTCORD_DEEPSEEK_TUI_BIN",
+    "BOTCORD_KIMI_CLI_BIN",
+    "OPENCLAW_ACP_URL",
+]);
+const TRANSCRIPT_LOG_DIAGNOSTICS_DEFAULT = 10;
+const TRANSCRIPT_LOG_DIAGNOSTICS_ALL = 50;
+const TRANSCRIPT_LOG_MAX_FILE_BYTES = 2 * 1024 * 1024;
 const SECRET_PATTERNS = [
     [/(Authorization:\s*Bearer\s+)[^\s"']+/gi, "$1[REDACTED]"],
     [/("?(?:accessToken|access_token|refreshToken|refresh_token|token|privateKey|private_key|secret)"?\s*:\s*")[^"]+(")/gi, "$1[REDACTED]$2"],
@@ -38,6 +62,82 @@ function safeReadText(file) {
         return `read failed: ${err instanceof Error ? err.message : String(err)}\n`;
     }
 }
+function readJsonFile(file) {
+    try {
+        const parsed = JSON.parse(readFileSync(file, "utf8"));
+        return parsed && typeof parsed === "object" && !Array.isArray(parsed)
+            ? parsed
+            : null;
+    }
+    catch {
+        return null;
+    }
+}
+function findDaemonPackageJson(startFile) {
+    let dir = path.dirname(startFile);
+    for (let i = 0; i < 6; i += 1) {
+        const candidate = path.join(dir, "package.json");
+        const parsed = readJsonFile(candidate);
+        if (parsed?.name === "@botcord/daemon")
+            return parsed;
+        const next = path.dirname(dir);
+        if (next === dir)
+            break;
+        dir = next;
+    }
+    return null;
+}
+function readInstalledPackageVersion(packageJsonSpecifier) {
+    try {
+        const pkgPath = require.resolve(packageJsonSpecifier);
+        const parsed = readJsonFile(pkgPath);
+        return typeof parsed?.version === "string" ? parsed.version : null;
+    }
+    catch {
+        return null;
+    }
+}
+function daemonRuntimeSummary() {
+    const pkg = findDaemonPackageJson(MODULE_PATH);
+    const version = typeof pkg?.version === "string" ? pkg.version : null;
+    const startedAtMs = Date.now() - Math.round(process.uptime() * 1000);
+    return {
+        packageName: typeof pkg?.name === "string" ? pkg.name : "@botcord/daemon",
+        version,
+        modulePath: MODULE_PATH,
+        entrypoint: process.argv[1] ?? null,
+        execPath: process.execPath,
+        argv: process.argv.map((arg) => redact(arg)),
+        execArgv: process.execArgv.map((arg) => redact(arg)),
+        cwd: process.cwd(),
+        pid: process.pid,
+        ppid: process.ppid,
+        uptimeSec: Math.round(process.uptime()),
+        startedAt: new Date(startedAtMs).toISOString(),
+        versions: {
+            node: process.version,
+            v8: process.versions.v8,
+            uv: process.versions.uv,
+            openssl: process.versions.openssl,
+        },
+        packages: {
+            "@botcord/daemon": version,
+            "@botcord/cli": readInstalledPackageVersion("@botcord/cli/package.json"),
+            "@botcord/protocol-core": readInstalledPackageVersion("@botcord/protocol-core/package.json"),
+        },
+    };
+}
+function safeEnvironmentSummary() {
+    const out = {};
+    for (const [key, value] of Object.entries(process.env)) {
+        if (!value)
+            continue;
+        if (!ENV_ALLOWLIST.has(key) && !key.startsWith("BOTCORD_DAEMON_"))
+            continue;
+        out[key] = redact(value);
+    }
+    return out;
+}
 function readUserAuthSummary() {
     const raw = safeReadText(USER_AUTH_PATH);
     if (!raw)
@@ -252,6 +352,50 @@ function bundledLogs(logFile, includeAllLogs) {
         ...(includeAllLogs ? rotated : rotated.slice(0, DEFAULT_ROTATED_LOGS_IN_BUNDLE)),
     ];
 }
+function listTranscriptLogFiles(includeAll) {
+    const root = defaultTranscriptRoot();
+    const out = [];
+    collectTranscriptFiles(root, root, out, 5);
+    const limit = includeAll ? TRANSCRIPT_LOG_DIAGNOSTICS_ALL : TRANSCRIPT_LOG_DIAGNOSTICS_DEFAULT;
+    return out
+        .sort((a, b) => b.mtimeMs - a.mtimeMs || b.name.localeCompare(a.name))
+        .slice(0, limit);
+}
+function collectTranscriptFiles(root, dir, out, maxDepth) {
+    if (maxDepth < 0)
+        return;
+    let names;
+    try {
+        names = readdirSync(dir);
+    }
+    catch {
+        return;
+    }
+    for (const name of names) {
+        const file = path.join(dir, name);
+        try {
+            const st = statSync(file);
+            if (st.isDirectory()) {
+                collectTranscriptFiles(root, file, out, maxDepth - 1);
+            }
+            else if (st.isFile() &&
+                name.endsWith(".jsonl") &&
+                file.includes(`${path.sep}transcripts${path.sep}`) &&
+                st.size <= TRANSCRIPT_LOG_MAX_FILE_BYTES) {
+                out.push({
+                    path: file,
+                    name: path.relative(root, file) || name,
+                    sizeBytes: st.size,
+                    mtimeMs: st.mtimeMs,
+                    active: true,
+                });
+            }
+        }
+        catch {
+            // ignore files that disappear while collecting diagnostics
+        }
+    }
+}
 export async function createDiagnosticBundle(opts = {}) {
     const createdAt = new Date();
     const stamp = createdAt.toISOString().replace(/[:.]/g, "-");
@@ -260,10 +404,12 @@ export async function createDiagnosticBundle(opts = {}) {
     const logFile = opts.logFile ?? LOG_FILE_PATH;
     const configFile = opts.configFile ?? CONFIG_FILE_PATH;
     const snapshotFile = opts.snapshotFile ?? SNAPSHOT_PATH;
+    const sessionsFile = opts.sessionsFile ?? SESSIONS_PATH;
     const includeAllLogs = opts.includeAllLogs === true;
     const logs = bundledLogs(logFile, includeAllLogs);
     const acpLogs = listAcpTraceLogFiles(includeAllLogs);
     const runtimeLogs = listRuntimeLogFiles(includeAllLogs);
+    const transcriptLogs = listTranscriptLogFiles(includeAllLogs);
     mkdirSync(diagnosticsDir, { recursive: true, mode: 0o700 });
     const doctor = opts.doctor ?? await buildDoctorEntries();
     const status = {
@@ -273,9 +419,12 @@ export async function createDiagnosticBundle(opts = {}) {
         release: release(),
         arch: arch(),
         node: process.version,
+        daemon: daemonRuntimeSummary(),
+        environment: safeEnvironmentSummary(),
         pidPath: PID_PATH,
         pid: process.pid,
         configPath: configFile,
+        sessionsPath: sessionsFile,
         snapshotPath: snapshotFile,
         logPath: logFile,
         logsBundled: logs.map((entry) => ({
@@ -294,6 +443,11 @@ export async function createDiagnosticBundle(opts = {}) {
             path: entry.path,
             sizeBytes: entry.sizeBytes,
         })),
+        transcriptLogsBundled: transcriptLogs.map((entry) => ({
+            name: entry.name,
+            path: entry.path,
+            sizeBytes: entry.sizeBytes,
+        })),
         logsBundleMode: includeAllLogs ? "all" : `active_plus_${DEFAULT_ROTATED_LOGS_IN_BUNDLE}_rotated`,
         diagnosticsDir,
         userAuth: readUserAuthSummary(),
@@ -333,6 +487,13 @@ export async function createDiagnosticBundle(opts = {}) {
             data: log ?? `no runtime log file at ${entry.path}\n`,
         });
     }
+    for (const entry of transcriptLogs) {
+        const log = safeReadText(entry.path);
+        entries.push({
+            name: `transcripts/${entry.name.split(path.sep).join("/")}`,
+            data: log ?? `no transcript log file at ${entry.path}\n`,
+        });
+    }
     const config = safeReadText(configFile);
     entries.push({
         name: "config.json.redacted",
@@ -343,6 +504,11 @@ export async function createDiagnosticBundle(opts = {}) {
         name: "snapshot.json",
         data: snapshot ?? `no snapshot file at ${snapshotFile}\n`,
     });
+    const sessions = safeReadText(sessionsFile);
+    entries.push({
+        name: "sessions.json.redacted",
+        data: sessions ?? `no sessions file at ${sessionsFile}\n`,
+    });
     const zip = createZip(entries);
     const out = path.join(diagnosticsDir, filename);
     writeFileSync(out, zip, { mode: 0o600 });

package/dist/gateway/channels/botcord.js

@@ -3,6 +3,7 @@ import { BotCordClient, buildHubWebSocketUrl, defaultCredentialsFile, loadStored
 import { sanitizeUntrustedContent } from "./sanitize.js";
 import { revokeAgent } from "../../provision.js";
 const RECONNECT_BACKOFF = [1000, 2000, 4000, 8000, 16000, 30000];
+const RECONNECT_JITTER_RATIO = 0.25;
 const KEEPALIVE_INTERVAL = 20_000;
 const MAX_AUTH_FAILURES = 5;
 const SEEN_MESSAGES_CAP = 500;
@@ -10,6 +11,10 @@ const OWNER_CHAT_PREFIX = "rm_oc_";
 const DM_ROOM_PREFIX = "rm_dm_";
 const INBOX_POLL_LIMIT = 50;
 const CHANNEL_PERMANENT_STOP = "channel_permanent_stop";
+function withReconnectJitter(delayMs) {
+    const jitterMs = Math.floor(Math.random() * delayMs * RECONNECT_JITTER_RATIO);
+    return { delayMs: delayMs + jitterMs, jitterMs };
+}
 function isUnclaimedAgentError(err) {
     const status = err?.status;
     if (status !== 403)
@@ -344,6 +349,7 @@ export function createBotCordChannel(options) {
         let reconnectTimer = null;
         let keepaliveTimer = null;
         let reconnectAttempt = 0;
+        let connectionSeq = 0;
         let consecutiveAuthFailures = 0;
         let running = true;
         let permanentStopping = false;
@@ -465,22 +471,36 @@ export function createBotCordChannel(options) {
         function scheduleReconnect() {
             if (!running)
                 return;
-            const delay = RECONNECT_BACKOFF[Math.min(reconnectAttempt, RECONNECT_BACKOFF.length - 1)];
+            if (reconnectTimer)
+                return;
+            if (ws && (ws.readyState === WebSocket.CONNECTING || ws.readyState === WebSocket.OPEN)) {
+                return;
+            }
+            const baseDelayMs = RECONNECT_BACKOFF[Math.min(reconnectAttempt, RECONNECT_BACKOFF.length - 1)];
+            const { delayMs, jitterMs } = withReconnectJitter(baseDelayMs);
             reconnectAttempt += 1;
             markStatus({
                 connected: false,
                 restartPending: true,
                 reconnectAttempts: reconnectAttempt,
             });
-            log.info("botcord ws reconnect scheduled", { delayMs: delay, attempt: reconnectAttempt });
+            log.info("botcord ws reconnect scheduled", {
+                delayMs,
+                baseDelayMs,
+                jitterMs,
+                attempt: reconnectAttempt,
+            });
             reconnectTimer = setTimeout(() => {
                 reconnectTimer = null;
                 void connect();
-            }, delay);
+            }, delayMs);
         }
         async function connect() {
             if (!running)
                 return;
+            if (ws && (ws.readyState === WebSocket.CONNECTING || ws.readyState === WebSocket.OPEN)) {
+                return;
+            }
             const agentId = options.agentId;
             markStatus({ connected: false, restartPending: false });
             if (pendingRefresh) {
@@ -506,8 +526,11 @@ export function createBotCordChannel(options) {
             }
             const url = buildHubWebSocketUrl(hubUrl);
             log.info("botcord ws connecting", { url, agentId });
+            const connectionId = ++connectionSeq;
+            let socket;
             try {
-                ws = new wsCtor(url);
+                socket = new wsCtor(url);
+                ws = socket;
             }
             catch (err) {
                 log.error("botcord ws construct failed", { agentId, err: String(err) });
@@ -515,10 +538,21 @@ export function createBotCordChannel(options) {
                 scheduleReconnect();
                 return;
             }
-            ws.on("open", () => {
-                ws.send(JSON.stringify({ type: "auth", token }));
+            socket.on("open", () => {
+                if (!running || ws !== socket || connectionId !== connectionSeq) {
+                    try {
+                        socket.close();
+                    }
+                    catch {
+                        // ignore
+                    }
+                    return;
+                }
+                socket.send(JSON.stringify({ type: "auth", token }));
             });
-            ws.on("message", (data) => {
+            socket.on("message", (data) => {
+                if (ws !== socket || connectionId !== connectionSeq)
+                    return;
                 let msg = null;
                 try {
                     msg = JSON.parse(String(data));
@@ -540,10 +574,12 @@ export function createBotCordChannel(options) {
                     });
                     log.info("botcord ws authenticated", { agentId: msg.agent_id });
                     void fireInbox("ws_auth_ok");
+                    if (keepaliveTimer)
+                        clearInterval(keepaliveTimer);
                     keepaliveTimer = setInterval(() => {
-                        if (ws && ws.readyState === WebSocket.OPEN) {
+                        if (ws === socket && socket.readyState === WebSocket.OPEN) {
                             try {
-                                ws.send(JSON.stringify({ type: "ping" }));
+                                socket.send(JSON.stringify({ type: "ping" }));
                             }
                             catch {
                                 // ignore
@@ -562,10 +598,15 @@ export function createBotCordChannel(options) {
                     log.warn("botcord ws server error", { agentId, msg });
                 }
             });
-            ws.on("close", (code, reason) => {
+            socket.on("close", (code, reason) => {
                 const reasonStr = reason?.toString() || "";
+                if (ws !== socket || connectionId !== connectionSeq) {
+                    log.debug("botcord ws stale close ignored", { agentId, code, reason: reasonStr });
+                    return;
+                }
                 log.info("botcord ws closed", { agentId, code, reason: reasonStr });
                 clearTimers();
+                ws = null;
                 markStatus({ connected: false });
                 if (!running) {
                     if (permanentStopping)
@@ -606,7 +647,9 @@ export function createBotCordChannel(options) {
                 }
                 scheduleReconnect();
             });
-            ws.on("error", (err) => {
+            socket.on("error", (err) => {
+                if (ws !== socket || connectionId !== connectionSeq)
+                    return;
                 log.warn("botcord ws error", { agentId, err: String(err) });
                 markStatus({ lastError: String(err) });
             });