@ouro.bot/cli 0.1.0-alpha.484 → 0.1.0-alpha.485

package/changelog.json

@@ -1,6 +1,14 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.485",
+      "changes": [
+        "Session JSON storage no longer accumulates duplicate event ids when two writers race for the same session — `parseSessionEnvelope` now dedupes on read (last-occurrence-wins) so existing corrupted sessions self-heal on the next save, `buildCanonicalSessionEnvelope` assigns the next sequence as `max(existing) + 1` instead of `events.length + 1` so pruning gaps cannot collide, and `deferPostTurnPersist` serializes per-`sessPath` through an in-process queue so concurrent BlueBubbles webhooks for the same chat (or CLI postTurn racing the inner-dialog turn for the same MCP session) cannot interleave their writes.",
+        "Auto-created BlueBubbles group friends are now marked with a `notes.autoCreatedGroup` flag at resolver time, and the trust gate's family-member bypass surfaces a one-time inner-pending notice the first time messages route through an unacknowledged stranger-trust group so the agent can label, rename, or dismiss the relationship before activity accumulates invisibly.",
+        "Inner-dialog worker now caps consecutive `instinct` follow-on turns at `MAX_CONSECUTIVE_INSTINCT_TURNS = 3` to break self-sustaining loops where a tool that writes to the inner-dialog pending dir during a turn would otherwise re-fire the worker indefinitely; externally-queued messages reset the counter so legitimate cascading follow-ups still run, and a new `senses.inner_dialog_worker_instinct_loop_capped` event surfaces when the cap fires."
+      ]
+    },
     {
       "version": "0.1.0-alpha.484",
       "changes": [

package/dist/heart/session-events.js

@@ -254,6 +254,35 @@ function messageFingerprint(message) {
 function makeEventId(sequence) {
     return `evt-${String(sequence).padStart(6, "0")}`;
 }
+/**
+ * Collapse duplicate event ids to a single entry, last-occurrence-wins.
+ *
+ * Concurrent writers in older versions of postTurnPersist could each load the
+ * envelope, compute `events.length + 1` for the next sequence, and both write
+ * an event with the same id. The duplicates would persist in the saved JSON
+ * and confuse downstream replay (the same outbound message could appear to
+ * have been sent twice from the agent's perspective without the agent knowing
+ * it sent it). We dedupe defensively on every load so corrupted sessions
+ * self-heal on the next save and so any future race produces a consistent
+ * view.
+ */
+function dedupeEventsByIdLastWins(events) {
+    // Index id → last position so we can preserve original order while
+    // collapsing duplicates to their final occurrence.
+    const lastIndexById = new Map();
+    for (let i = 0; i < events.length; i++) {
+        lastIndexById.set(events[i].id, i);
+    }
+    return events.filter((event, index) => lastIndexById.get(event.id) === index);
+}
+/**
+ * The next sequence to assign for a freshly-built event. Uses max(existing
+ * sequences) + 1 rather than `events.length + 1` so that gaps from earlier
+ * pruning, archive replay, or self-heal dedup never produce a colliding id.
+ */
+function nextEventSequence(existing) {
+    return existing.reduce((max, event) => Math.max(max, event.sequence), 0) + 1;
+}
 function validateSessionMessages(messages) {
     const violations = [];
     let prevNonToolRole = null;
@@ -665,7 +694,7 @@ function parseSessionEnvelope(raw, options = {}) {
     if (record.version !== 2 || !Array.isArray(record.events) || !record.projection || typeof record.projection !== "object") {
         return null;
     }
-    const events = record.events
+    const rawEvents = record.events
         .filter((event) => event != null && typeof event === "object")
         .map((event, index) => {
         const role = normalizeRole(event.role);
@@ -705,6 +734,12 @@ function parseSessionEnvelope(raw, options = {}) {
             },
         };
     });
+    // Self-heal duplicate event ids that may have been written by concurrent
+    // writers in older harness versions. Last-occurrence-wins by id (later
+    // entries in the persisted file are the more recent state for that id).
+    // We preserve the original document order otherwise, so projection.eventIds
+    // still resolves predictably.
+    const events = dedupeEventsByIdLastWins(rawEvents);
     const projection = record.projection;
     return {
         version: 2,
@@ -821,8 +856,10 @@ function buildCanonicalSessionEnvelope(options) {
         else {
             if (!isSystem)
                 nonSystemSeen++;
-            // Create a new event
-            const event = buildEventFromMessage(currentMessages[i], events.length + 1, options.recordedAt, "live", null, null, currentIngressTimes[i]);
+            // Create a new event. Use nextEventSequence(events) instead of
+            // `events.length + 1` so that any gap (from pruning, archive replay,
+            // or self-heal dedup) cannot collide with an existing id.
+            const event = buildEventFromMessage(currentMessages[i], nextEventSequence(events), options.recordedAt, "live", null, null, currentIngressTimes[i]);
             events.push(event);
             currentEventIds.push(event.id);
         }

package/dist/mind/context.js

@@ -315,11 +315,43 @@ function postTurnPersist(sessPath, prepared, usage, state) {
     return envelope.events;
 }
 /**
- * Deferred persist: same as postTurnPersist but runs on the next event loop tick.
- * Returns a promise that resolves when the persist completes.
+ * Per-sessPath serialization queue. Without this, two concurrent
+ * `deferPostTurnPersist` calls (e.g. two BlueBubbles webhooks for the same
+ * chat firing back-to-back, or a CLI postTurn racing the inner-dialog turn
+ * for the same MCP session) would each load the envelope, both compute the
+ * same "next sequence", and write events with colliding ids. The session
+ * file would silently accumulate duplicates and replay would diverge from
+ * what was actually sent on the wire.
+ *
+ * The queue is in-process only — it does not protect against multiple Node
+ * processes writing to the same file. The dedup-on-load behaviour in
+ * parseSessionEnvelope keeps cross-process races from leaving permanent
+ * corruption; this serializer just keeps the common (single-process) case
+ * race-free in the first place.
+ */
+const sessionPersistQueues = new Map();
+function enqueueSessionPersist(sessPath, fn) {
+    const previous = sessionPersistQueues.get(sessPath) ?? Promise.resolve();
+    // Chain on the previous tail. fn runs whether previous resolved or rejected,
+    // so one failed turn cannot block subsequent turns on the same session.
+    const next = previous.then(fn, fn);
+    // Save a swallowed-rejection sentinel as the new tail so the next caller's
+    // `previous.then(fn, fn)` sees a clean resolution; the original `next` still
+    // propagates rejection to its own caller as expected.
+    /* v8 ignore start -- the swallow only matters when fn rejects, which is the failure path covered separately */
+    const sentinel = next.then(() => undefined, () => undefined);
+    /* v8 ignore stop */
+    sessionPersistQueues.set(sessPath, sentinel);
+    return next;
+}
+/**
+ * Deferred persist: same as postTurnPersist but runs on the next event loop
+ * tick AND serializes against any other deferred persist for the same
+ * sessPath, so concurrent turns cannot race and produce duplicate event ids
+ * in the saved session.
  */
 function deferPostTurnPersist(sessPath, prepared, usage, state) {
-    return new Promise((resolve) => {
+    return enqueueSessionPersist(sessPath, () => new Promise((resolve) => {
         setImmediate(() => {
             try {
                 const events = postTurnPersist(sessPath, prepared, usage, state);
@@ -336,7 +368,7 @@ function deferPostTurnPersist(sessPath, prepared, usage, state) {
                 resolve([]);
             }
         });
-    });
+    }));
 }
 function deleteSession(filePath) {
     try {

package/dist/mind/friends/resolver.js

@@ -87,6 +87,21 @@ class FriendResolver {
             hasAnyFriends = false;
         }
         const isFirstImprint = !hasAnyFriends;
+        // BlueBubbles group chats route through here as `imessage-handle` with an
+        // externalId of the form `group:any;+;<chatHash>`. When the harness auto-
+        // creates the group friend at stranger trust, we mark the record so that
+        // the trust gate can surface the relationship for explicit acknowledgment
+        // later instead of letting messages accumulate silently.
+        const isImessageGroup = this.params.provider === "imessage-handle" &&
+            typeof this.params.externalId === "string" &&
+            this.params.externalId.startsWith("group:");
+        const notes = {};
+        if (this.params.displayName !== "Unknown") {
+            notes.name = { value: this.params.displayName, savedAt: now };
+        }
+        if (isImessageGroup && !isFirstImprint) {
+            notes.autoCreatedGroup = { value: "true", savedAt: now };
+        }
         const friend = {
             id: (0, crypto_1.randomUUID)(),
             name: this.params.displayName,
@@ -96,7 +111,7 @@ class FriendResolver {
             externalIds: [externalId],
             tenantMemberships,
             toolPreferences: {},
-            notes: this.params.displayName !== "Unknown" ? { name: { value: this.params.displayName, savedAt: now } } : {},
+            notes,
             totalTokens: 0,
             createdAt: now,
             updatedAt: now,

package/dist/senses/inner-dialog-worker.js

@@ -33,6 +33,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.MAX_CONSECUTIVE_INSTINCT_TURNS = void 0;
 exports.createInnerDialogWorker = createInnerDialogWorker;
 exports.startInnerDialogWorker = startInnerDialogWorker;
 const path = __importStar(require("path"));
@@ -41,6 +42,20 @@ const runtime_1 = require("../nerves/runtime");
 const identity_1 = require("../heart/identity");
 const pending_1 = require("../mind/pending");
 const habit_runtime_state_1 = require("../heart/habits/habit-runtime-state");
+/**
+ * Cap on consecutive `instinct` follow-on turns triggered by `hasPendingWork()`
+ * with no externally-queued work in between. Without this cap, a turn that
+ * writes anything back into the inner-dialog pending dir as a side effect of
+ * processing (e.g. a surface tool routing a response) puts the worker into
+ * a self-sustaining loop where the next turn's drain produces another write,
+ * and so on. Real workflows rarely chain more than 2–3 instinct turns; an
+ * external trigger (habit, poke, chat) resets the counter so legitimate
+ * follow-on work is unaffected.
+ *
+ * Three feels right: legitimate cascading follow-ups (e.g. processing a
+ * batch of delegated returns) get through; a true self-loop caps fast.
+ */
+exports.MAX_CONSECUTIVE_INSTINCT_TURNS = 3;
 function createInnerDialogWorker(runTurn = (options) => (0, inner_dialog_1.runInnerDialogTurn)(options), hasPendingWork = () => (0, pending_1.hasPendingMessages)((0, pending_1.getInnerDialogPendingDir)((0, identity_1.getAgentName)()))) {
     let running = false;
     const queue = [];
@@ -54,6 +69,7 @@ function createInnerDialogWorker(runTurn = (options) => (0, inner_dialog_1.runIn
             let nextReason = reason;
             let nextTaskId = taskId;
             let nextHabitName = habitName;
+            let consecutiveInstinctTurns = reason === "instinct" ? 1 : 0;
             do {
                 try {
                     await runTurn({ reason: nextReason, taskId: nextTaskId, habitName: nextHabitName });
@@ -82,16 +98,36 @@ function createInnerDialogWorker(runTurn = (options) => (0, inner_dialog_1.runIn
                         // Habit file/state may be unavailable during the turn — skip gracefully
                     }
                 }
-                // Drain queue first
+                // Drain queue first. Externally-queued work resets the instinct cap
+                // because a real outside trigger arrived between turns.
                 if (queue.length > 0) {
                     const next = queue.shift();
                     nextReason = next.reason;
                     nextTaskId = next.taskId;
                     nextHabitName = next.habitName;
+                    consecutiveInstinctTurns = nextReason === "instinct" ? consecutiveInstinctTurns + 1 : 0;
                     continue;
                 }
-                // Then check hasPendingWork fallback
+                // Then check hasPendingWork fallback. This is the loop site: any
+                // tool that writes to the inner-dialog pending dir during a turn
+                // would cause hasPendingWork() to be true here, producing a
+                // self-sustaining "instinct" loop with no external input. Cap it.
                 if (hasPendingWork()) {
+                    if (consecutiveInstinctTurns >= exports.MAX_CONSECUTIVE_INSTINCT_TURNS) {
+                        (0, runtime_1.emitNervesEvent)({
+                            level: "warn",
+                            component: "senses",
+                            event: "senses.inner_dialog_worker_instinct_loop_capped",
+                            message: "inner dialog worker stopped chaining instinct turns; pending work remains for next external trigger",
+                            meta: {
+                                consecutiveInstinctTurns,
+                                cap: exports.MAX_CONSECUTIVE_INSTINCT_TURNS,
+                                lastReason: nextReason,
+                            },
+                        });
+                        break;
+                    }
+                    consecutiveInstinctTurns += 1;
                     nextReason = "instinct";
                     nextTaskId = undefined;
                     nextHabitName = undefined;

package/dist/senses/trust-gate.js

@@ -93,6 +93,91 @@ function writeInnerPendingNotice(bundleRoot, noticeContent, nowIso) {
     fs.mkdirSync(innerPendingDir, { recursive: true });
     fs.writeFileSync(filePath, JSON.stringify(payload), "utf-8");
 }
+const ACKNOWLEDGED_GROUPS_FILENAME = "acknowledged-auto-groups.json";
+function acknowledgedGroupsPath(bundleRoot) {
+    return path.join(bundleRoot, "state", ACKNOWLEDGED_GROUPS_FILENAME);
+}
+function loadAcknowledgedGroupsState(bundleRoot) {
+    try {
+        const raw = fs.readFileSync(acknowledgedGroupsPath(bundleRoot), "utf-8");
+        if (!raw.trim())
+            return {};
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+            return {};
+        return parsed;
+    }
+    catch {
+        return {};
+    }
+}
+function persistAcknowledgedGroupsState(bundleRoot, state) {
+    const target = acknowledgedGroupsPath(bundleRoot);
+    fs.mkdirSync(path.dirname(target), { recursive: true });
+    fs.writeFileSync(target, `${JSON.stringify(state, null, 2)}\n`, "utf-8");
+}
+/**
+ * For BlueBubbles group chats that were auto-created at stranger trust (no
+ * explicit operator/agent action ever bound the harness to this group), the
+ * gate's family-member bypass would otherwise let messages flow through
+ * silently and the agent would accumulate a session it has no mental model
+ * for. Surface the relationship as an inner-pending notice exactly once so
+ * the agent can categorize / rename / dismiss the group on its next turn.
+ *
+ * Returns true if a notice was written so callers can emit a telemetry event.
+ */
+function maybeSurfaceAutoCreatedGroup(input, bundleRoot, nowIso) {
+    // Caller guarantees isGroupChat = true (only invoked from the family-member
+    // bypass branch); skip a redundant guard here.
+    if (input.friend.trustLevel !== "stranger")
+        return false;
+    if (!input.friend.notes?.["autoCreatedGroup"])
+        return false;
+    // loadAcknowledgedGroupsState is defensive (its own try/catch returns {})
+    // so we don't wrap it in another try here.
+    const state = loadAcknowledgedGroupsState(bundleRoot);
+    if (state[input.friend.id])
+        return false;
+    const noticeContent = `New BlueBubbles group "${input.friend.name}" became active without explicit acknowledgment. ` +
+        `It was auto-created at stranger trust the first time a message routed through it. ` +
+        `If you recognize the group, label or rename it (and consider promoting trust); if not, you can leave it as a stranger group or rename it for clarity. ` +
+        `external id: ${input.externalId}; friend id: ${input.friend.id}.`;
+    try {
+        writeInnerPendingNotice(bundleRoot, noticeContent, nowIso);
+        persistAcknowledgedGroupsState(bundleRoot, {
+            ...state,
+            [input.friend.id]: { surfacedAt: nowIso },
+        });
+        (0, runtime_1.emitNervesEvent)({
+            level: "info",
+            component: "senses",
+            event: "senses.trust_gate_group_acknowledgment_surfaced",
+            message: "auto-created group surfaced for agent acknowledgment",
+            meta: {
+                friendId: input.friend.id,
+                friendName: input.friend.name,
+                externalId: input.externalId,
+                provider: input.provider,
+            },
+        });
+        return true;
+        /* v8 ignore start -- defensive: surfacing failure must not block the gate decision @preserve */
+    }
+    catch (error) {
+        (0, runtime_1.emitNervesEvent)({
+            level: "error",
+            component: "senses",
+            event: "senses.trust_gate_error",
+            message: "failed to surface auto-created group for acknowledgment",
+            meta: {
+                friendId: input.friend.id,
+                reason: error instanceof Error ? error.message : String(error),
+            },
+        });
+        return false;
+    }
+    /* v8 ignore stop */
+}
 function enforceTrustGate(input) {
     const { senseType } = input;
     // Local (CLI) and internal (inner dialog) — always allow
@@ -104,8 +189,18 @@ function enforceTrustGate(input) {
         return { allowed: true };
     }
     // Open senses (BlueBubbles/iMessage) — enforce trust rules
-    // Group chat with a family member present — allow regardless of trust level
+    // Group chat with a family member present — allow regardless of trust level.
+    // BUT if this is an auto-created stranger group (the harness picked it up
+    // silently via the family-member shortcut and the agent never explicitly
+    // acknowledged it), surface a one-time inner-pending notice so the agent
+    // gets a chance to categorize / rename / dismiss the relationship instead
+    // of accumulating activity invisibly.
     if (input.isGroupChat && input.groupHasFamilyMember) {
+        /* v8 ignore start -- defaults shared with the rest of the gate; tested via the stranger-trust path */
+        const bundleRoot = input.bundleRoot ?? (0, identity_1.getAgentRoot)();
+        const nowIso = (input.now ?? (() => new Date()))().toISOString();
+        /* v8 ignore stop */
+        maybeSurfaceAutoCreatedGroup(input, bundleRoot, nowIso);
         return { allowed: true };
     }
     const trustLevel = input.friend.trustLevel ?? "friend";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.484",
+  "version": "0.1.0-alpha.485",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",