@geminixiang/mama 0.2.0-beta.4 → 0.2.0-beta.5

package/dist/main.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"main.d.ts","sourceRoot":"","sources":["../src/main.ts"],"names":[],"mappings":";AAEA,OAAO,iBAAiB,CAAC","sourcesContent":["#!/usr/bin/env node\n\nimport \"./instrument.js\";\n\nimport { join, resolve } from \"path\";\nimport { mkdirSync, readFileSync, statSync } from \"fs\";\nimport { homedir } from \"os\";\nimport { fileURLToPath } from \"url\";\nimport { dirname, join as pathJoin } from \"path\";\nimport type { Bot, BotAdapters, BotEvent, BotHandler } from \"./adapter.js\";\nimport { DiscordBot } from \"./adapters/discord/index.js\";\nimport { TelegramBot } from \"./adapters/telegram/index.js\";\nimport { SlackBot as SlackBotClass } from \"./adapters/slack/index.js\";\nimport { type AgentRunner, createRunner } from \"./agent.js\";\nimport {\n  createManagedSessionFile,\n  createManagedSessionFileAtPath,\n  getChannelSessionDir,\n  getThreadSessionFile,\n  resolveGenericSessionScope,\n  type ResolvedSessionScope,\n} from \"./session-store.js\";\nimport { downloadChannel } from \"./download.js\";\nimport { createEventsWatcher } from \"./events.js\";\nimport * as log from \"./log.js\";\nimport { FileUserBindingStore } from \"./bindings.js\";\nimport { parseLoginCommand } from \"./login/index.js\";\nimport { startLinkServer } from \"./login/portal.js\";\nimport { InMemoryLinkTokenStore } from \"./login/session.js\";\nimport { parseSessionViewCommand } from \"./session-view/command.js\";\nimport { resolveExistingSessionFile } from \"./session-view/service.js\";\nimport { InMemorySessionViewTokenStore } from \"./session-view/store.js\";\nimport { DockerContainerManager } from \"./provisioner.js\";\nimport { loadAgentConfig } from \"./config.js\";\nimport { SandboxError, parseSandboxArg, type SandboxConfig, validateSandbox } from \"./sandbox.js\";\nimport { FileVaultManager } from \"./vault.js\";\nimport {\n  createManagedVaultEntry,\n  ensureSandboxVaultEntry,\n  resolveActorVaultKey,\n} from \"./vault-routing.js\";\nimport { addLifecycleBreadcrumb, applyRunScope } from \"./sentry.js\";\nimport { ChannelStore } from \"./store.js\";\nimport { formatNothingRunning, formatStopped, formatStopping } from \"./ui-copy.js\";\nimport {\n  hasMaterializedSlackBranchSession,\n  resolveSlackSessionScope,\n  waitForSlackBranchBootstrap,\n} from \"./adapters/slack/branch-manager.js\";\nimport * as Sentry from \"@sentry/node\";\n\n// ============================================================================\n// Config\n// ============================================================================\n\n// Get version from package.json\nfunction getVersion(): string {\n  // Try to find package.json in the dist directory or parent\n  const possiblePaths = [\n    pathJoin(dirname(fileURLToPath(import.meta.url)), \"package.json\"),\n    pathJoin(dirname(fileURLToPath(import.meta.url)), \"..\", \"package.json\"),\n    pathJoin(process.cwd(), \"package.json\"),\n  ];\n\n  for (const pkgPath of possiblePaths) {\n    try {\n      const pkg = JSON.parse(readFileSync(pkgPath, \"utf-8\"));\n      if (pkg.version) return pkg.version;\n    } catch {\n      // Continue to next path\n    }\n  }\n  return \"unknown\";\n}\n\nconst MOM_SLACK_APP_TOKEN = process.env.MOM_SLACK_APP_TOKEN;\nconst MOM_SLACK_BOT_TOKEN = process.env.MOM_SLACK_BOT_TOKEN;\nconst MOM_TELEGRAM_BOT_TOKEN = process.env.MOM_TELEGRAM_BOT_TOKEN;\nconst MOM_DISCORD_BOT_TOKEN = process.env.MOM_DISCORD_BOT_TOKEN;\nconst MOM_LINK_URL = process.env.MOM_LINK_URL;\nconst MOM_LINK_PORT = process.env.MOM_LINK_PORT\n  ? parseInt(process.env.MOM_LINK_PORT, 10)\n  : MOM_LINK_URL\n    ? 8181\n    : undefined;\n\ninterface ParsedArgs {\n  workingDir?: string;\n  stateDir?: string;\n  sandbox: SandboxConfig;\n  downloadChannel?: string;\n  showVersion?: boolean;\n}\n\nfunction parseArgs(): ParsedArgs {\n  const args = process.argv.slice(2);\n  let sandbox: SandboxConfig = { type: \"host\" };\n  let workingDir: string | undefined;\n  let stateDirArg: string | undefined;\n  let downloadChannelId: string | undefined;\n  let showVersion = false;\n\n  for (let i = 0; i < args.length; i++) {\n    const arg = args[i];\n    if (arg === \"--version\" || arg === \"-v\" || arg === \"-V\") {\n      showVersion = true;\n    } else if (arg.startsWith(\"--sandbox=\")) {\n      sandbox = parseSandboxArg(arg.slice(\"--sandbox=\".length));\n    } else if (arg === \"--sandbox\") {\n      sandbox = parseSandboxArg(args[++i] || \"\");\n    } else if (arg.startsWith(\"--state-dir=\")) {\n      stateDirArg = arg.slice(\"--state-dir=\".length);\n    } else if (arg === \"--state-dir\") {\n      stateDirArg = args[++i];\n    } else if (arg.startsWith(\"--download=\")) {\n      downloadChannelId = arg.slice(\"--download=\".length);\n    } else if (arg === \"--download\") {\n      downloadChannelId = args[++i];\n    } else if (!arg.startsWith(\"-\")) {\n      workingDir = arg;\n    }\n  }\n\n  return {\n    workingDir: workingDir ? resolve(workingDir) : undefined,\n    stateDir: stateDirArg ? resolve(stateDirArg) : undefined,\n    sandbox,\n    downloadChannel: downloadChannelId,\n    showVersion,\n  };\n}\n\nconst WORLD_WRITABLE_MODE = 0o002;\n\nfunction ensureSecureStateDir(path: string): void {\n  let stat;\n  try {\n    stat = statSync(path);\n  } catch (err) {\n    const code = (err as NodeJS.ErrnoException).code;\n    if (code === \"ENOENT\") {\n      mkdirSync(path, { recursive: true, mode: 0o700 });\n      return;\n    }\n    console.error(`Error: cannot access --state-dir ${path}: ${(err as Error).message}`);\n    process.exit(1);\n  }\n\n  if (!stat.isDirectory()) {\n    console.error(`Error: --state-dir ${path} exists but is not a directory`);\n    process.exit(1);\n  }\n\n  if (stat.mode & WORLD_WRITABLE_MODE) {\n    console.error(\n      `Error: --state-dir ${path} is world-writable (mode ${(stat.mode & 0o777).toString(8)}). ` +\n        `Credentials stored there would be exposed to other local users. ` +\n        `Fix with: chmod 0700 ${path}`,\n    );\n    process.exit(1);\n  }\n\n  const euid = typeof process.geteuid === \"function\" ? process.geteuid() : undefined;\n  if (euid !== undefined && stat.uid !== euid) {\n    console.error(\n      `Error: --state-dir ${path} is owned by uid ${stat.uid} but mama is running as uid ${euid}. ` +\n        `Run mama as the directory owner or point --state-dir at a directory you own.`,\n    );\n    process.exit(1);\n  }\n}\n\nfunction handleStartupError(error: unknown): never {\n  if (error instanceof SandboxError) {\n    for (const line of error.formatForCli()) {\n      console.error(line);\n    }\n    process.exit(1);\n  }\n  throw error;\n}\n\nlet parsedArgs: ParsedArgs;\ntry {\n  parsedArgs = parseArgs();\n} catch (error) {\n  handleStartupError(error);\n}\n\n// Handle --version\nif (parsedArgs.showVersion) {\n  console.log(getVersion());\n  process.exit(0);\n}\n\n// Handle --download mode (Slack only)\nif (parsedArgs.downloadChannel) {\n  if (!MOM_SLACK_BOT_TOKEN) {\n    console.error(\"Missing env: MOM_SLACK_BOT_TOKEN\");\n    process.exit(1);\n  }\n  await downloadChannel(parsedArgs.downloadChannel, MOM_SLACK_BOT_TOKEN);\n  process.exit(0);\n}\n\n// Normal bot mode - require working dir\nif (!parsedArgs.workingDir) {\n  console.error(\n    \"Usage: mama [--state-dir=<dir>] [--sandbox=host|container:<name>|image:<image>|firecracker:<vm-id>:<host-path>] <working-directory>\",\n  );\n  console.error(\"       mama --download <channel-id>\");\n  process.exit(1);\n}\n\nconst { workingDir, sandbox } = { workingDir: parsedArgs.workingDir, sandbox: parsedArgs.sandbox };\nconst stateDir = parsedArgs.stateDir ?? join(homedir(), \".mama\");\nprocess.env.MAMA_STATE_DIR = stateDir;\nensureSecureStateDir(stateDir);\n\n// Validate platform tokens\nconst hasSlack = !!(MOM_SLACK_APP_TOKEN && MOM_SLACK_BOT_TOKEN);\nconst hasTelegram = !!MOM_TELEGRAM_BOT_TOKEN;\nconst hasDiscord = !!MOM_DISCORD_BOT_TOKEN;\n\nif (!hasSlack && !hasTelegram && !hasDiscord) {\n  console.error(\n    \"No platform tokens found. Set one of:\\n\" +\n      \"  Slack:    MOM_SLACK_APP_TOKEN + MOM_SLACK_BOT_TOKEN\\n\" +\n      \"  Telegram: MOM_TELEGRAM_BOT_TOKEN\\n\" +\n      \"  Discord:  MOM_DISCORD_BOT_TOKEN\",\n  );\n  process.exit(1);\n}\n\ntry {\n  await validateSandbox(sandbox);\n} catch (error) {\n  handleStartupError(error);\n}\n\nconst vaultManager = new FileVaultManager(stateDir);\nif (vaultManager.isEnabled()) {\n  console.log(\n    sandbox.type === \"container\"\n      ? \"  Vault system enabled. Container vault active.\"\n      : sandbox.type === \"image\" || sandbox.type === \"firecracker\"\n        ? \"  Vault system enabled. Per-user credential routing active.\"\n        : \"  Vault system enabled. Host mode will not inject vault env.\",\n  );\n}\n\nconst bindingStore = new FileUserBindingStore(stateDir);\nif (bindingStore.isEnabled()) {\n  console.log(\n    sandbox.type === \"container\"\n      ? \"  Binding store enabled. Container mode uses the container vault.\"\n      : sandbox.type === \"image\" || sandbox.type === \"firecracker\"\n        ? \"  Binding store enabled. Platform user → vault routing active.\"\n        : \"  Binding store enabled. Host mode will not inject vault env.\",\n  );\n}\n\nconst startupConfig = loadAgentConfig(workingDir);\nconst sandboxLimits =\n  startupConfig.sandboxCpus || startupConfig.sandboxMemory\n    ? { cpus: startupConfig.sandboxCpus, memory: startupConfig.sandboxMemory }\n    : undefined;\n\nconst provisioner =\n  sandbox.type === \"image\"\n    ? new DockerContainerManager(sandbox.image, workingDir, { limits: sandboxLimits })\n    : undefined;\n\nconst linkTokenStore = new InMemoryLinkTokenStore();\nconst sessionViewTokenStore = new InMemorySessionViewTokenStore();\nsetInterval(() => linkTokenStore.purge(), 5 * 60 * 1000).unref();\nsetInterval(() => sessionViewTokenStore.purge(), 5 * 60 * 1000).unref();\n\nfunction portalBaseUrl(): string | undefined {\n  if (MOM_LINK_URL) return MOM_LINK_URL.replace(/\\/+$/, \"\");\n  if (MOM_LINK_PORT) return `http://localhost:${MOM_LINK_PORT}`;\n  return undefined;\n}\n\nfunction isPrivateConversation(event: BotEvent): boolean {\n  return event.conversationKind === \"direct\" || event.type === \"dm\";\n}\n\nfunction ensureLoginVault(platform: string, platformUserId: string): string {\n  const vaultId = resolveActorVaultKey(\n    sandbox,\n    vaultManager,\n    bindingStore,\n    platform,\n    platformUserId,\n  );\n\n  ensureSandboxVaultEntry(sandbox, vaultManager, platform, platformUserId, vaultId);\n  if (sandbox.type !== \"container\" && sandbox.type !== \"image\") {\n    vaultManager.addEntry(vaultId, createManagedVaultEntry(platform, platformUserId, vaultId));\n  }\n\n  return vaultId;\n}\n\nasync function replyWithContext(\n  responseCtx: BotAdapters[\"responseCtx\"],\n  text: string,\n): Promise<void> {\n  await responseCtx.setTyping(false);\n  await responseCtx.setWorking(false);\n  await responseCtx.respond(text);\n}\n\nasync function handleLoginCommand(\n  platform: string,\n  platformUserId: string,\n  conversationId: string,\n  responseCtx: BotAdapters[\"responseCtx\"],\n  commandText: string,\n  privateConversation: boolean,\n): Promise<boolean> {\n  const parsed = parseLoginCommand(commandText);\n  if (!parsed) return false;\n\n  if (!privateConversation) {\n    await replyWithContext(\n      responseCtx,\n      \"為了保護你的憑證，`/login` 只能在與機器人的私訊中使用。請先私訊機器人，再重新執行 `/login`。\",\n    );\n    return true;\n  }\n\n  const baseUrl = portalBaseUrl();\n  if (!baseUrl) {\n    await replyWithContext(\n      responseCtx,\n      \"Login is not configured. Set `MOM_LINK_URL` or `MOM_LINK_PORT` on the server.\",\n    );\n    return true;\n  }\n\n  let vaultId: string;\n  try {\n    vaultId = ensureLoginVault(platform, platformUserId);\n  } catch (error) {\n    log.logWarning(\n      `[${conversationId}] Failed to prepare login vault for ${platform}/${platformUserId}`,\n      error instanceof Error ? error.message : String(error),\n    );\n    await replyWithContext(\n      responseCtx,\n      \"Login setup failed on the server. 請稍後重試，或聯絡管理員檢查 vault 儲存權限。\",\n    );\n    return true;\n  }\n\n  const token = linkTokenStore.create(\n    platform as \"slack\" | \"discord\" | \"telegram\",\n    platformUserId,\n    conversationId,\n    vaultId,\n    \"\",\n  );\n  const vaultLabel = sandbox.type === \"container\" ? `container vault (${vaultId})` : \"your vault\";\n  await replyWithContext(\n    responseCtx,\n    `Open this link to store credentials in ${vaultLabel} (expires in 15 minutes):\\n${baseUrl}/link?token=${token.token}`,\n  );\n  return true;\n}\n\nasync function handleSessionViewCommand(\n  platform: string,\n  platformUserId: string,\n  conversationId: string,\n  sessionKey: string,\n  bot: Bot,\n  responseCtx: BotAdapters[\"responseCtx\"],\n  commandText: string,\n  privateConversation: boolean,\n): Promise<boolean> {\n  if (!parseSessionViewCommand(commandText)) return false;\n\n  const allowSharedPrivateDelivery = platform === \"slack\" || platform === \"discord\";\n  const sendSessionViewReply = async (text: string): Promise<void> => {\n    if (privateConversation) {\n      await replyWithContext(responseCtx, text);\n      return;\n    }\n\n    if (platform === \"slack\" && bot instanceof SlackBotClass) {\n      await bot.postEphemeral(conversationId, platformUserId, text);\n      return;\n    }\n\n    if (platform === \"discord\" && bot instanceof DiscordBot) {\n      await bot.sendDirectMessage(platformUserId, text);\n      return;\n    }\n\n    await replyWithContext(responseCtx, text);\n  };\n\n  if (!privateConversation && !allowSharedPrivateDelivery) {\n    await sendSessionViewReply(\n      \"為了保護對話內容，`/session` 目前只能在與機器人的私訊 / DM 中使用。\",\n    );\n    return true;\n  }\n\n  const baseUrl = portalBaseUrl();\n  if (!baseUrl) {\n    await sendSessionViewReply(\n      \"Session viewer is not configured. Set `MOM_LINK_URL` or `MOM_LINK_PORT` on the server.\",\n    );\n    return true;\n  }\n\n  const sessionFile = resolveExistingSessionFile(workingDir, conversationId, sessionKey);\n  if (!sessionFile) {\n    await sendSessionViewReply(\n      \"目前還沒有可查看的 session。先和機器人對話一次，建立 session 後再試。\",\n    );\n    return true;\n  }\n\n  const token = sessionViewTokenStore.create(\n    platform as \"slack\" | \"discord\" | \"telegram\",\n    platformUserId,\n    conversationId,\n    sessionKey,\n    sessionFile,\n  );\n\n  const linkText = `Open this read-only session link (expires in 24 hours):\\n${baseUrl}/session?token=${token.token}`;\n  await sendSessionViewReply(linkText);\n  return true;\n}\n\n// ============================================================================\n// State (per conversation)\n// ============================================================================\n\ninterface ConversationState {\n  running: boolean;\n  runner: AgentRunner;\n  stopRequested: boolean;\n  stopMessageTs?: string;\n  lastAccessedAt: number;\n  startedAt?: number;\n  lastActivityAt?: number;\n}\n\nconst conversationStates = new Map<string, ConversationState>();\n\n/** Track in-flight runs for graceful shutdown */\nconst inFlightRuns = new Set<Promise<void>>();\n\n/** Flag to stop accepting new events during shutdown */\nlet isShuttingDown = false;\n\n/** Maximum number of cached sessions */\nconst MAX_SESSIONS = 500;\n/** Idle timeout before a non-running session can be evicted (1 hour) */\nconst IDLE_TIMEOUT_MS = 3600000;\n/** Idle timeout for managed image containers (10 minutes) */\nconst IMAGE_IDLE_TIMEOUT_MS = 10 * 60 * 1000;\n\nif (provisioner) {\n  await provisioner.reconcile();\n  await provisioner.stopIdle(IMAGE_IDLE_TIMEOUT_MS);\n  setInterval(() => provisioner.stopIdle(IMAGE_IDLE_TIMEOUT_MS), IMAGE_IDLE_TIMEOUT_MS).unref();\n}\n\nasync function resolveSessionScope(\n  platformName: string,\n  conversationDir: string,\n  sessionKey: string,\n): Promise<ResolvedSessionScope> {\n  if (platformName === \"slack\") {\n    return resolveSlackSessionScope({ conversationDir, sessionKey });\n  }\n  return resolveGenericSessionScope({ conversationDir, sessionKey });\n}\n\nasync function getState(\n  conversationId: string,\n  platformName: string,\n  sessionKey?: string,\n): Promise<ConversationState> {\n  const key = sessionKey ?? conversationId;\n  let state = conversationStates.get(key);\n  if (!state) {\n    const conversationDir = join(workingDir, conversationId);\n    const sessionScope = await resolveSessionScope(platformName, conversationDir, key);\n    state = {\n      running: false,\n      runner: await createRunner(\n        sandbox,\n        key,\n        conversationId,\n        conversationDir,\n        workingDir,\n        sessionScope,\n        vaultManager,\n        bindingStore,\n        provisioner,\n      ),\n      stopRequested: false,\n      lastAccessedAt: Date.now(),\n    };\n    conversationStates.set(key, state);\n  } else {\n    state.lastAccessedAt = Date.now();\n  }\n  return state;\n}\n\n/**\n * Evict idle sessions from conversationStates to bound memory usage.\n * Called after each handleEvent completes.\n */\nfunction evictIdleSessions(): void {\n  const now = Date.now();\n\n  for (const [key, state] of conversationStates) {\n    if (!state.running && now - state.lastAccessedAt > IDLE_TIMEOUT_MS) {\n      conversationStates.delete(key);\n    }\n  }\n\n  if (conversationStates.size > MAX_SESSIONS) {\n    const idleSessions: Array<{ key: string; lastAccessedAt: number }> = [];\n    for (const [key, state] of conversationStates) {\n      if (!state.running) {\n        idleSessions.push({ key, lastAccessedAt: state.lastAccessedAt });\n      }\n    }\n\n    idleSessions.sort((a, b) => a.lastAccessedAt - b.lastAccessedAt);\n\n    const toEvict = conversationStates.size - MAX_SESSIONS;\n    for (let i = 0; i < toEvict && i < idleSessions.length; i++) {\n      conversationStates.delete(idleSessions[i].key);\n    }\n  }\n}\n\n// ============================================================================\n// Handler\n// ============================================================================\n\nconst handler: BotHandler = {\n  isRunning(sessionKey: string): boolean {\n    const state = conversationStates.get(sessionKey);\n    return !!state?.running;\n  },\n\n  getRunningSessions() {\n    const sessions: import(\"./adapter.js\").RunningSession[] = [];\n    for (const [sessionKey, state] of conversationStates) {\n      if (state.running && state.startedAt) {\n        // Get current step from runner\n        const currentStep = state.runner.getCurrentStep();\n        sessions.push({\n          sessionKey,\n          startedAt: state.startedAt,\n          lastActivityAt: state.lastActivityAt,\n          currentTool: currentStep?.label || currentStep?.toolName,\n        });\n      }\n    }\n    return sessions;\n  },\n\n  async handleStop(sessionKey: string, conversationId: string, bot: Bot): Promise<void> {\n    const state = conversationStates.get(sessionKey);\n    if (state?.running) {\n      state.stopRequested = true;\n      state.runner.abort();\n      const ts = await bot.postMessage(conversationId, formatStopping(bot));\n      state.stopMessageTs = ts;\n    } else {\n      await bot.postMessage(conversationId, formatNothingRunning(bot));\n    }\n  },\n\n  forceStop(sessionKey: string): void {\n    const state = conversationStates.get(sessionKey);\n    if (state?.running) {\n      log.logInfo(`[Force Stop] Force stopping session: ${sessionKey}`);\n      state.stopRequested = true;\n      state.runner.abort();\n      state.running = false;\n    }\n  },\n\n  async handleNew(sessionKey: string, conversationId: string, bot: Bot): Promise<void> {\n    const state = conversationStates.get(sessionKey);\n    if (state?.running) {\n      state.stopRequested = true;\n      state.runner.abort();\n    }\n\n    // Conversation sessions rotate via current pointer. Thread sessions reset in place.\n    const conversationDir = join(workingDir, conversationId);\n    if (sessionKey.includes(\":\")) {\n      createManagedSessionFileAtPath(\n        getThreadSessionFile(conversationDir, sessionKey),\n        conversationDir,\n      );\n    } else {\n      createManagedSessionFile(getChannelSessionDir(conversationDir), conversationDir);\n    }\n\n    // Remove from in-memory cache\n    conversationStates.delete(sessionKey);\n\n    log.logInfo(`[${conversationId}] Session reset: ${sessionKey}`);\n    await bot.postMessage(conversationId, \"Conversation reset. Send a new message to start fresh.\");\n  },\n\n  async handleEvent(\n    event: BotEvent,\n    bot: Bot,\n    adapters: BotAdapters,\n    _isEvent?: boolean,\n  ): Promise<void> {\n    const conversationId = event.conversationId;\n\n    // Don't accept new events during shutdown\n    if (isShuttingDown) {\n      log.logInfo(\n        `[${conversationId}] Rejected event during shutdown: ${event.text.substring(0, 50)}`,\n      );\n      return;\n    }\n\n    const sessionKey = event.sessionKey ?? `${conversationId}:${event.thread_ts ?? event.ts}`;\n    const privateConversation = isPrivateConversation(event);\n    const handledLogin = await handleLoginCommand(\n      adapters.platform.name,\n      event.user,\n      conversationId,\n      adapters.responseCtx,\n      event.text,\n      privateConversation,\n    );\n    if (handledLogin) return;\n\n    const handledSessionView = await handleSessionViewCommand(\n      adapters.platform.name,\n      event.user,\n      conversationId,\n      sessionKey,\n      bot,\n      adapters.responseCtx,\n      event.text,\n      privateConversation,\n    );\n    if (handledSessionView) return;\n\n    const conversationDir = join(workingDir, conversationId);\n    const waitedForParent =\n      adapters.platform.name === \"slack\"\n        ? await waitForSlackBranchBootstrap({\n            parentSessionKey: conversationId,\n            sessionKey,\n            hasThreadSession: () => hasMaterializedSlackBranchSession(conversationDir, sessionKey),\n            isParentRunning: () => conversationStates.get(conversationId)?.running === true,\n          })\n        : false;\n    if (waitedForParent) {\n      log.logInfo(\n        `[${conversationId}] Delayed thread bootstrap until parent session sealed: ${sessionKey}`,\n      );\n    }\n\n    const state = await getState(conversationId, adapters.platform.name, sessionKey);\n\n    // Start run\n    state.running = true;\n    state.stopRequested = false;\n    state.startedAt = Date.now();\n    state.lastActivityAt = Date.now();\n\n    log.logInfo(`[${conversationId}] Starting run: ${event.text.substring(0, 50)}`);\n\n    // Wrap in-flight run tracking\n    Sentry.metrics.count(\"agent.run.started\", 1, {\n      attributes: { channel: conversationId },\n    });\n    Sentry.metrics.gauge(\"agent.sessions.active\", inFlightRuns.size + 1);\n\n    const runPromise = Sentry.startSpan(\n      { name: \"agent.run\", op: \"agent\", attributes: { conversationId, sessionKey } },\n      async () => {\n        return Sentry.withScope(async (scope) => {\n          const { message, responseCtx, platform } = adapters;\n          applyRunScope(scope, {\n            conversationId,\n            sessionKey,\n            messageId: message.id,\n            platform: platform.name,\n            userId: message.userId,\n            userName: message.userName,\n            threadTs: message.threadTs,\n            isEvent: _isEvent,\n          });\n          addLifecycleBreadcrumb(\"agent.run.started\", {\n            channel_id: conversationId,\n            platform: platform.name,\n            has_attachments: (message.attachments?.length ?? 0) > 0,\n          });\n\n          try {\n            await responseCtx.setTyping(true);\n            await responseCtx.setWorking(true);\n            const result = await state.runner.run(message, responseCtx, platform);\n            await responseCtx.setWorking(false);\n\n            const durationMs = Date.now() - state.startedAt!;\n            Sentry.metrics.distribution(\"agent.run.duration\", durationMs, {\n              unit: \"millisecond\",\n              attributes: {\n                channel: conversationId,\n                platform: platform.name,\n                stop_reason: result.stopReason,\n              },\n            });\n            Sentry.metrics.count(\"agent.run.completed\", 1, {\n              attributes: {\n                channel: conversationId,\n                platform: platform.name,\n                stop_reason: result.stopReason,\n              },\n            });\n            addLifecycleBreadcrumb(\"agent.run.completed\", {\n              channel_id: conversationId,\n              platform: platform.name,\n              stop_reason: result.stopReason,\n              duration_ms: durationMs,\n            });\n\n            if (result.stopReason === \"aborted\" && state.stopRequested) {\n              if (state.stopMessageTs) {\n                await bot.updateMessage(conversationId, state.stopMessageTs, formatStopped(bot));\n                state.stopMessageTs = undefined;\n              } else {\n                await bot.postMessage(conversationId, formatStopped(bot));\n              }\n            }\n          } catch (err) {\n            scope.setContext(\"agent_run_error\", {\n              conversationId,\n              sessionKey,\n              platform: adapters.platform.name,\n              messageId: adapters.message.id,\n              threadTs: adapters.message.threadTs,\n            });\n            Sentry.captureException(err);\n            Sentry.metrics.count(\"agent.run.errors\", 1, {\n              attributes: { channel: conversationId, platform: adapters.platform.name },\n            });\n            log.logWarning(\n              `[${conversationId}] Run error`,\n              err instanceof Error ? err.message : String(err),\n            );\n          } finally {\n            state.running = false;\n            state.lastAccessedAt = Date.now();\n            Sentry.metrics.gauge(\"agent.sessions.active\", inFlightRuns.size - 1);\n            evictIdleSessions();\n          }\n        });\n      },\n    );\n\n    inFlightRuns.add(runPromise);\n    try {\n      await runPromise;\n    } finally {\n      inFlightRuns.delete(runPromise);\n    }\n  },\n};\n\n// ============================================================================\n// Start\n// ============================================================================\n\nconst sandboxDesc =\n  sandbox.type === \"host\"\n    ? \"host\"\n    : sandbox.type === \"container\"\n      ? `container:${sandbox.container}`\n      : sandbox.type === \"image\"\n        ? `image:${sandbox.image}`\n        : `firecracker:${sandbox.vmId}`;\nlog.logStartup(workingDir, sandboxDesc);\n\n// Create platform bots\nconst bots: Bot[] = [];\nconst botsByPlatform: Record<string, Bot> = {};\n\nif (hasSlack) {\n  const sharedStore = new ChannelStore({ workingDir, botToken: MOM_SLACK_BOT_TOKEN! });\n  const slackBot = new SlackBotClass(handler, {\n    appToken: MOM_SLACK_APP_TOKEN!,\n    botToken: MOM_SLACK_BOT_TOKEN!,\n    workingDir,\n    store: sharedStore,\n  });\n  bots.push(slackBot);\n  botsByPlatform.slack = slackBot;\n  log.logInfo(\"Platform: Slack\");\n}\nif (hasTelegram) {\n  const telegramBot = new TelegramBot(handler, {\n    token: MOM_TELEGRAM_BOT_TOKEN!,\n    workingDir,\n  });\n  bots.push(telegramBot);\n  botsByPlatform.telegram = telegramBot;\n  log.logInfo(\"Platform: Telegram\");\n}\nif (hasDiscord) {\n  const discordBot = new DiscordBot(handler, {\n    token: MOM_DISCORD_BOT_TOKEN!,\n    workingDir,\n  });\n  bots.push(discordBot);\n  botsByPlatform.discord = discordBot;\n  log.logInfo(\"Platform: Discord\");\n}\n\nif (MOM_LINK_PORT) {\n  startLinkServer(\n    MOM_LINK_PORT,\n    linkTokenStore,\n    vaultManager,\n    async (platform, conversationId, message) => {\n      const bot = botsByPlatform[platform];\n      if (bot) await bot.postMessage(conversationId, message);\n    },\n    sessionViewTokenStore,\n  );\n}\n\n// Start events watcher with explicit platform routing\nconst eventsWatcher = createEventsWatcher(workingDir, botsByPlatform);\nconst slackBot = botsByPlatform.slack as SlackBotClass | undefined;\nif (slackBot) {\n  slackBot.setEventsWatcher(eventsWatcher);\n}\neventsWatcher.start();\n\n// Handle shutdown\nasync function shutdown(): Promise<void> {\n  if (isShuttingDown) return;\n  isShuttingDown = true;\n  log.logInfo(\"Shutting down gracefully...\");\n\n  const timeout = Date.now() + 30000;\n  while (inFlightRuns.size > 0 && Date.now() < timeout) {\n    await new Promise((resolve) => setTimeout(resolve, 500));\n  }\n\n  if (inFlightRuns.size > 0) {\n    log.logWarning(`Forcing exit with ${inFlightRuns.size} runs still in progress`);\n  }\n\n  eventsWatcher.stop();\n  await Sentry.close(5000);\n  process.exit(0);\n}\n\nprocess.on(\"SIGINT\", shutdown);\nprocess.on(\"SIGTERM\", shutdown);\n\n// Start all bots\nawait Promise.all(\n  bots.map((bot) =>\n    bot.start().catch((err) => {\n      log.logWarning(\"Failed to start bot\", err instanceof Error ? err.message : String(err));\n      process.exit(1);\n    }),\n  ),\n);\n"]}
+{"version":3,"file":"main.d.ts","sourceRoot":"","sources":["../src/main.ts"],"names":[],"mappings":";AAEA,OAAO,iBAAiB,CAAC","sourcesContent":["#!/usr/bin/env node\n\nimport \"./instrument.js\";\n\nimport { join, resolve } from \"path\";\nimport { mkdirSync, readFileSync, statSync, writeFileSync } from \"fs\";\nimport { homedir } from \"os\";\nimport { fileURLToPath } from \"url\";\nimport { dirname, join as pathJoin } from \"path\";\nimport type { Bot } from \"./adapter.js\";\nimport { DiscordBot } from \"./adapters/discord/index.js\";\nimport { TelegramBot } from \"./adapters/telegram/index.js\";\nimport { SlackBot as SlackBotClass } from \"./adapters/slack/index.js\";\nimport { downloadChannel } from \"./download.js\";\nimport { createEventsWatcher } from \"./events.js\";\nimport * as log from \"./log.js\";\nimport { FileUserBindingStore } from \"./bindings.js\";\nimport { startLinkServer } from \"./login/portal.js\";\nimport { InMemoryLinkTokenStore } from \"./login/session.js\";\nimport { InMemorySessionViewTokenStore } from \"./session-view/store.js\";\nimport { DockerContainerManager } from \"./provisioner.js\";\nimport { loadAgentConfig } from \"./config.js\";\nimport { SandboxError, parseSandboxArg, type SandboxConfig, validateSandbox } from \"./sandbox.js\";\nimport { FileVaultManager } from \"./vault.js\";\nimport { createSessionRuntime } from \"./runtime/index.js\";\nimport { ChannelStore } from \"./store.js\";\nimport * as Sentry from \"@sentry/node\";\n\n// ============================================================================\n// Config\n// ============================================================================\n\n// Get version from package.json\nfunction getVersion(): string {\n  // Try to find package.json in the dist directory or parent\n  const possiblePaths = [\n    pathJoin(dirname(fileURLToPath(import.meta.url)), \"package.json\"),\n    pathJoin(dirname(fileURLToPath(import.meta.url)), \"..\", \"package.json\"),\n    pathJoin(process.cwd(), \"package.json\"),\n  ];\n\n  for (const pkgPath of possiblePaths) {\n    try {\n      const pkg = JSON.parse(readFileSync(pkgPath, \"utf-8\"));\n      if (pkg.version) return pkg.version;\n    } catch {\n      // Continue to next path\n    }\n  }\n  return \"unknown\";\n}\n\nconst MAMA_SLACK_APP_TOKEN = process.env.MAMA_SLACK_APP_TOKEN;\nconst MAMA_SLACK_BOT_TOKEN = process.env.MAMA_SLACK_BOT_TOKEN;\nconst MAMA_TELEGRAM_BOT_TOKEN = process.env.MAMA_TELEGRAM_BOT_TOKEN;\nconst MAMA_DISCORD_BOT_TOKEN = process.env.MAMA_DISCORD_BOT_TOKEN;\nconst MAMA_LINK_URL = process.env.MAMA_LINK_URL;\nconst MAMA_LINK_PORT = process.env.MAMA_LINK_PORT\n  ? parseInt(process.env.MAMA_LINK_PORT, 10)\n  : MAMA_LINK_URL\n    ? 8181\n    : undefined;\n\ninterface ParsedArgs {\n  workingDir?: string;\n  stateDir?: string;\n  sandbox: SandboxConfig;\n  downloadChannel?: string;\n  showVersion?: boolean;\n}\n\nfunction parseArgs(): ParsedArgs {\n  const args = process.argv.slice(2);\n  let sandbox: SandboxConfig = { type: \"host\" };\n  let workingDir: string | undefined;\n  let stateDirArg: string | undefined;\n  let downloadChannelId: string | undefined;\n  let showVersion = false;\n\n  for (let i = 0; i < args.length; i++) {\n    const arg = args[i];\n    if (arg === \"--version\" || arg === \"-v\" || arg === \"-V\") {\n      showVersion = true;\n    } else if (arg.startsWith(\"--sandbox=\")) {\n      sandbox = parseSandboxArg(arg.slice(\"--sandbox=\".length));\n    } else if (arg === \"--sandbox\") {\n      sandbox = parseSandboxArg(args[++i] || \"\");\n    } else if (arg.startsWith(\"--state-dir=\")) {\n      stateDirArg = arg.slice(\"--state-dir=\".length);\n    } else if (arg === \"--state-dir\") {\n      stateDirArg = args[++i];\n    } else if (arg.startsWith(\"--download=\")) {\n      downloadChannelId = arg.slice(\"--download=\".length);\n    } else if (arg === \"--download\") {\n      downloadChannelId = args[++i];\n    } else if (!arg.startsWith(\"-\")) {\n      workingDir = arg;\n    }\n  }\n\n  return {\n    workingDir: workingDir ? resolve(workingDir) : undefined,\n    stateDir: stateDirArg ? resolve(stateDirArg) : undefined,\n    sandbox,\n    downloadChannel: downloadChannelId,\n    showVersion,\n  };\n}\n\nconst WORLD_WRITABLE_MODE = 0o002;\n\nfunction ensureSecureStateDir(path: string): void {\n  let stat;\n  try {\n    stat = statSync(path);\n  } catch (err) {\n    const code = (err as NodeJS.ErrnoException).code;\n    if (code === \"ENOENT\") {\n      mkdirSync(path, { recursive: true, mode: 0o700 });\n      return;\n    }\n    console.error(`Error: cannot access --state-dir ${path}: ${(err as Error).message}`);\n    process.exit(1);\n  }\n\n  if (!stat.isDirectory()) {\n    console.error(`Error: --state-dir ${path} exists but is not a directory`);\n    process.exit(1);\n  }\n\n  if (stat.mode & WORLD_WRITABLE_MODE) {\n    console.error(\n      `Error: --state-dir ${path} is world-writable (mode ${(stat.mode & 0o777).toString(8)}). ` +\n        `Credentials stored there would be exposed to other local users. ` +\n        `Fix with: chmod 0700 ${path}`,\n    );\n    process.exit(1);\n  }\n\n  const euid = typeof process.geteuid === \"function\" ? process.geteuid() : undefined;\n  if (euid !== undefined && stat.uid !== euid) {\n    console.error(\n      `Error: --state-dir ${path} is owned by uid ${stat.uid} but mama is running as uid ${euid}. ` +\n        `Run mama as the directory owner or point --state-dir at a directory you own.`,\n    );\n    process.exit(1);\n  }\n}\n\nfunction handleStartupError(error: unknown): never {\n  if (error instanceof SandboxError) {\n    for (const line of error.formatForCli()) {\n      console.error(line);\n    }\n    process.exit(1);\n  }\n  throw error;\n}\n\nlet parsedArgs: ParsedArgs;\ntry {\n  parsedArgs = parseArgs();\n} catch (error) {\n  handleStartupError(error);\n}\n\n// Handle --version\nif (parsedArgs.showVersion) {\n  console.log(getVersion());\n  process.exit(0);\n}\n\n// Handle --download mode (Slack only)\nif (parsedArgs.downloadChannel) {\n  if (!MAMA_SLACK_BOT_TOKEN) {\n    console.error(\"Missing env: MAMA_SLACK_BOT_TOKEN\");\n    process.exit(1);\n  }\n  await downloadChannel(parsedArgs.downloadChannel, MAMA_SLACK_BOT_TOKEN);\n  process.exit(0);\n}\n\n// Normal bot mode - require working dir\nif (!parsedArgs.workingDir) {\n  console.error(\n    \"Usage: mama [--state-dir=<dir>] [--sandbox=host|container:<name>|image:<image>|firecracker:<vm-id>:<host-path>|cloudflare:<sandbox-id>] <working-directory>\",\n  );\n  console.error(\"       mama --download <channel-id>\");\n  process.exit(1);\n}\n\nconst { workingDir, sandbox } = { workingDir: parsedArgs.workingDir, sandbox: parsedArgs.sandbox };\nconst stateDir = parsedArgs.stateDir ?? join(homedir(), \".mama\");\nprocess.env.MAMA_STATE_DIR = stateDir;\nensureSecureStateDir(stateDir);\n\n// Validate platform tokens\nconst hasSlack = !!(MAMA_SLACK_APP_TOKEN && MAMA_SLACK_BOT_TOKEN);\nconst hasTelegram = !!MAMA_TELEGRAM_BOT_TOKEN;\nconst hasDiscord = !!MAMA_DISCORD_BOT_TOKEN;\n\nif (!hasSlack && !hasTelegram && !hasDiscord) {\n  console.error(\n    \"No platform tokens found. Set one of:\\n\" +\n      \"  Slack:    MAMA_SLACK_APP_TOKEN + MAMA_SLACK_BOT_TOKEN\\n\" +\n      \"  Telegram: MAMA_TELEGRAM_BOT_TOKEN\\n\" +\n      \"  Discord:  MAMA_DISCORD_BOT_TOKEN\",\n  );\n  process.exit(1);\n}\n\ntry {\n  await validateSandbox(sandbox);\n} catch (error) {\n  handleStartupError(error);\n}\n\nconst vaultManager = new FileVaultManager(stateDir);\nif (vaultManager.isEnabled()) {\n  console.log(\n    sandbox.type === \"container\"\n      ? \"  Vault system enabled. Container vault active.\"\n      : sandbox.type === \"image\" || sandbox.type === \"firecracker\" || sandbox.type === \"cloudflare\"\n        ? \"  Vault system enabled. Conversation-scoped credential routing active.\"\n        : \"  Vault system enabled. Host mode will not inject vault env.\",\n  );\n}\n\nconst bindingStore = new FileUserBindingStore(stateDir);\nif (bindingStore.isEnabled()) {\n  console.log(\n    sandbox.type === \"container\"\n      ? \"  Binding store enabled. Container mode uses the container vault.\"\n      : sandbox.type === \"image\" || sandbox.type === \"firecracker\" || sandbox.type === \"cloudflare\"\n        ? \"  Binding store enabled, but conversation-scoped sandbox routing does not use it.\"\n        : \"  Binding store enabled. Host mode will not inject vault env.\",\n  );\n}\n\nconst startupConfig = loadAgentConfig();\nconst sandboxLimits =\n  startupConfig.sandboxCpus || startupConfig.sandboxMemory\n    ? { cpus: startupConfig.sandboxCpus, memory: startupConfig.sandboxMemory }\n    : undefined;\n\nconst provisioner =\n  sandbox.type === \"image\"\n    ? new DockerContainerManager(sandbox.image, { limits: sandboxLimits })\n    : undefined;\n\nif (sandbox.type === \"image\") {\n  mkdirSync(join(workingDir, \"skills\"), { recursive: true });\n  mkdirSync(join(workingDir, \"events\"), { recursive: true });\n  try {\n    writeFileSync(join(workingDir, \"MEMORY.md\"), \"\", { flag: \"wx\" });\n  } catch (err) {\n    if ((err as NodeJS.ErrnoException).code !== \"EEXIST\") throw err;\n  }\n}\n\nconst linkTokenStore = new InMemoryLinkTokenStore();\nconst sessionViewTokenStore = new InMemorySessionViewTokenStore();\nsetInterval(() => linkTokenStore.purge(), 5 * 60 * 1000).unref();\nsetInterval(() => sessionViewTokenStore.purge(), 5 * 60 * 1000).unref();\n\nfunction portalBaseUrl(): string | undefined {\n  if (MAMA_LINK_URL) return MAMA_LINK_URL.replace(/\\/+$/, \"\");\n  if (MAMA_LINK_PORT) return `http://localhost:${MAMA_LINK_PORT}`;\n  return undefined;\n}\n/** Idle timeout for managed image containers (10 minutes) */\nconst IMAGE_IDLE_TIMEOUT_MS = 10 * 60 * 1000;\n\nif (provisioner) {\n  await provisioner.reconcile();\n  await provisioner.stopIdle(IMAGE_IDLE_TIMEOUT_MS);\n  setInterval(() => provisioner.stopIdle(IMAGE_IDLE_TIMEOUT_MS), IMAGE_IDLE_TIMEOUT_MS).unref();\n}\nconst handler = createSessionRuntime({\n  workingDir,\n  sandbox,\n  vaultManager,\n  bindingStore,\n  provisioner,\n  linkTokenStore,\n  sessionViewTokenStore,\n  portalBaseUrl: portalBaseUrl(),\n});\n\n// ============================================================================\n// Start\n// ============================================================================\n\nconst sandboxDesc =\n  sandbox.type === \"host\"\n    ? \"host\"\n    : sandbox.type === \"container\"\n      ? `container:${sandbox.container}`\n      : sandbox.type === \"image\"\n        ? `image:${sandbox.image}`\n        : sandbox.type === \"firecracker\"\n          ? `firecracker:${sandbox.vmId}`\n          : `cloudflare:${sandbox.sandboxId}`;\nlog.logStartup(workingDir, sandboxDesc);\n\n// Create platform bots\nconst bots: Bot[] = [];\nconst botsByPlatform: Record<string, Bot> = {};\n\nif (hasSlack) {\n  const sharedStore = new ChannelStore({ workingDir, botToken: MAMA_SLACK_BOT_TOKEN! });\n  const slackBot = new SlackBotClass(handler, {\n    appToken: MAMA_SLACK_APP_TOKEN!,\n    botToken: MAMA_SLACK_BOT_TOKEN!,\n    workingDir,\n    store: sharedStore,\n  });\n  bots.push(slackBot);\n  botsByPlatform.slack = slackBot;\n  log.logInfo(\"Platform: Slack\");\n}\nif (hasTelegram) {\n  const telegramBot = new TelegramBot(handler, {\n    token: MAMA_TELEGRAM_BOT_TOKEN!,\n    workingDir,\n  });\n  bots.push(telegramBot);\n  botsByPlatform.telegram = telegramBot;\n  log.logInfo(\"Platform: Telegram\");\n}\nif (hasDiscord) {\n  const discordBot = new DiscordBot(handler, {\n    token: MAMA_DISCORD_BOT_TOKEN!,\n    workingDir,\n  });\n  bots.push(discordBot);\n  botsByPlatform.discord = discordBot;\n  log.logInfo(\"Platform: Discord\");\n}\n\nif (MAMA_LINK_PORT) {\n  startLinkServer(\n    MAMA_LINK_PORT,\n    linkTokenStore,\n    vaultManager,\n    async (platform, conversationId, message) => {\n      const bot = botsByPlatform[platform];\n      if (bot) await bot.postMessage(conversationId, message);\n    },\n    sessionViewTokenStore,\n  );\n}\n\n// Start events watcher with explicit platform routing\nconst eventsWatcher = createEventsWatcher(workingDir, botsByPlatform);\nconst slackBot = botsByPlatform.slack as SlackBotClass | undefined;\nif (slackBot) {\n  slackBot.setEventsWatcher(eventsWatcher);\n}\neventsWatcher.start();\n\n// Handle shutdown\nasync function shutdown(): Promise<void> {\n  await handler.shutdown();\n  eventsWatcher.stop();\n  await Sentry.close(5000);\n  process.exit(0);\n}\n\nprocess.on(\"SIGINT\", shutdown);\nprocess.on(\"SIGTERM\", shutdown);\n\n// Start all bots\nawait Promise.all(\n  bots.map((bot) =>\n    bot.start().catch((err) => {\n      log.logWarning(\"Failed to start bot\", err instanceof Error ? err.message : String(err));\n      process.exit(1);\n    }),\n  ),\n);\n"]}