npm - @ouro.bot/cli - Versions diffs - 0.1.0-alpha.601 → 0.1.0-alpha.602 - Mend

@ouro.bot/cli 0.1.0-alpha.601 → 0.1.0-alpha.602

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/changelog.json +6 -0
package/dist/heart/daemon/process-manager.js +75 -1
package/dist/heart/daemon/sense-manager.js +27 -8
package/package.json +1 -1

package/changelog.json CHANGED Viewed

@@ -1,6 +1,12 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.602",
+      "changes": [
+        "Two-part fix for the 2026-05-11 BlueBubbles wedge that drove the user (Ari) up the wall: Slugger's BB session showed the same user message replayed 76 times, because each death-spiral cycle re-injected the inbound. Root cause was the daemon's HTTP health probe (`createHttpHealthProbe(\"bluebubbles:<agent>\", port)`) GETting the sense's /health endpoint every ~60 s with a 5 s timeout — busy BB sense (e.g. VLM image-describe at 20+ s) timed out, daemon declared 'critical', SIGTERM'd the sense mid-work, respawned, hit the same image, killed again, forever. Part 1: removed the HTTP probe entirely from `listHealthProbes()`. Process supervision (`processManager` child-process exit handler) already catches dead processes; for 'alive but hung' we now rely on the agent's own awareness via `pendingRecoveryCount` / `lastRecoveredAt` in the BB runtime state surfaced into the prompt, plus the agent's new `restart_runtime` tool (from alpha.598 / #723). Part 2: defense-in-depth respawn-loop guard in `processManager.restartAgent` — if anything triggers more than `RESPAWN_GUARD_MAX_RESTARTS = 5` orchestrated restarts in `RESPAWN_GUARD_WINDOW_MS = 10 min`, refuse further restarts (`daemon.agent_respawn_loop_tripped` nerves event, errorReason + fixHint set on the snapshot). Trip self-clears once timestamps age out of the window, and `startAgent` (= `ouro up`) bypasses the guard so the operator can always recover. Even if some other future cause re-introduces a tight respawn loop, the guard bounds it. The 2026-05-11 spiral was ~60 restarts/hr — well above 5/10min, so this would have caught it."
+      ]
+    },
     {
       "version": "0.1.0-alpha.601",
       "changes": [

package/dist/heart/daemon/process-manager.js CHANGED Viewed

@@ -33,7 +33,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.DaemonProcessManager = void 0;
+exports.DaemonProcessManager = exports.RESPAWN_GUARD_WINDOW_MS = exports.RESPAWN_GUARD_MAX_RESTARTS = void 0;
 const child_process_1 = require("child_process");
 const path = __importStar(require("path"));
 const identity_1 = require("../identity");
@@ -41,6 +41,18 @@ const runtime_1 = require("../../nerves/runtime");
 function startOfHour(ms) {
     return ms - 60 * 60 * 1000;
 }
+/**
+ * Respawn-loop guard: refuse `restartAgent` if we've already orchestrated
+ * RESPAWN_GUARD_MAX_RESTARTS in the past RESPAWN_GUARD_WINDOW_MS.
+ *
+ * Calibrated for the 2026-05-11 BB sense incident: a misconfigured probe
+ * was triggering `restartAgent` every ~60s for hours. Five restarts in
+ * 10 minutes is well above the rate of legitimate operational restarts
+ * (a single human-initiated `ouro down && ouro up` produces one) and well
+ * below the rate of a death spiral (60/hr ⇒ 10/10min).
+ */
+exports.RESPAWN_GUARD_MAX_RESTARTS = 5;
+exports.RESPAWN_GUARD_WINDOW_MS = 10 * 60_000;
 class DaemonProcessManager {
     agents = new Map();
     maxRestartsPerHour;
@@ -149,6 +161,8 @@ class DaemonProcessManager {
                 startAttemptId: 0,
                 restartTimer: null,
                 crashTimestamps: [],
+                orchestratedRestartTimestamps: [],
+                respawnLoopTripped: false,
                 stopRequested: false,
                 cooldownTimer: null,
                 cooldownRetryCount: 0,
@@ -370,6 +384,11 @@ class DaemonProcessManager {
         this.clearRestartTimer(state);
         this.clearCooldownTimer(state);
         state.stopRequested = true;
+        // NOTE: do not touch state.respawnLoopTripped / orchestratedRestartTimestamps
+        // here. restartAgent calls stopAgent internally; clearing the guard here
+        // would reset the window every cycle and defeat the loop-detection. The
+        // guard self-clears when timestamps age out of the window (handled inside
+        // restartAgent at the prune step).
         if (!state.process) {
             state.snapshot.status = "stopped";
             state.snapshot.pid = null;
@@ -396,6 +415,61 @@ class DaemonProcessManager {
     }
     async restartAgent(agent) {
         const state = this.requireAgent(agent);
+        // Respawn-loop guard: prune timestamps outside the window, then check
+        // whether we've already restarted this agent too many times in it.
+        const now = this.now();
+        const windowStart = now - exports.RESPAWN_GUARD_WINDOW_MS;
+        state.orchestratedRestartTimestamps = state.orchestratedRestartTimestamps.filter((ts) => ts >= windowStart);
+        // If the window is now empty, the trip naturally self-clears. That means
+        // after RESPAWN_GUARD_WINDOW_MS of no restart attempts, the daemon is
+        // willing to try again (e.g. for a fresh health probe failure that has
+        // nothing to do with the original loop).
+        if (state.respawnLoopTripped && state.orchestratedRestartTimestamps.length === 0) {
+            state.respawnLoopTripped = false;
+            state.snapshot.errorReason = null;
+            state.snapshot.fixHint = null;
+            (0, runtime_1.emitNervesEvent)({
+                component: "daemon",
+                event: "daemon.agent_respawn_loop_cleared",
+                message: "respawn-loop guard cleared by window-aging",
+                meta: { agent, windowMs: exports.RESPAWN_GUARD_WINDOW_MS },
+            });
+            this.notifySnapshotChange(state.snapshot);
+        }
+        if (state.respawnLoopTripped) {
+            (0, runtime_1.emitNervesEvent)({
+                level: "error",
+                component: "daemon",
+                event: "daemon.agent_respawn_loop_blocked",
+                message: "refused agent restart — respawn-loop guard tripped; manual intervention required",
+                meta: {
+                    agent,
+                    recentRestartCount: state.orchestratedRestartTimestamps.length,
+                    windowMs: exports.RESPAWN_GUARD_WINDOW_MS,
+                },
+            });
+            return;
+        }
+        if (state.orchestratedRestartTimestamps.length >= exports.RESPAWN_GUARD_MAX_RESTARTS) {
+            state.respawnLoopTripped = true;
+            state.snapshot.errorReason = `respawn loop detected: ${exports.RESPAWN_GUARD_MAX_RESTARTS}+ restarts in ${Math.round(exports.RESPAWN_GUARD_WINDOW_MS / 60_000)}min — refusing further restarts`;
+            state.snapshot.fixHint = "investigate the root cause then run `ouro up` to resume";
+            (0, runtime_1.emitNervesEvent)({
+                level: "error",
+                component: "daemon",
+                event: "daemon.agent_respawn_loop_tripped",
+                message: "respawn-loop guard tripped; further restarts blocked",
+                meta: {
+                    agent,
+                    restartCount: state.orchestratedRestartTimestamps.length,
+                    windowMs: exports.RESPAWN_GUARD_WINDOW_MS,
+                    maxRestarts: exports.RESPAWN_GUARD_MAX_RESTARTS,
+                },
+            });
+            this.notifySnapshotChange(state.snapshot);
+            return;
+        }
+        state.orchestratedRestartTimestamps.push(now);
         if (state.startInFlight && !state.process) {
             const startedAt = state.startAttemptedAtMs;
             /* v8 ignore next -- defensive: startInFlight always records a start timestamp @preserve */

package/dist/heart/daemon/sense-manager.js CHANGED Viewed

@@ -44,7 +44,6 @@ const provider_credentials_1 = require("../provider-credentials");
 const sense_truth_1 = require("../sense-truth");
 const machine_identity_1 = require("../machine-identity");
 const process_manager_1 = require("./process-manager");
-const http_health_probe_1 = require("./http-health-probe");
 const DEFAULT_TEAMS_PORT = 3978;
 const DEFAULT_BLUEBUBBLES_PORT = 18790;
 const DEFAULT_BLUEBUBBLES_WEBHOOK_PATH = "/bluebubbles-webhook";
@@ -631,13 +630,33 @@ class DaemonSenseManager {
             if (!context.senses.bluebubbles.enabled || !context.facts.bluebubbles.configured || !machineRuntimeConfig.ok) {
                 continue;
             }
-            const machinePayload = machineRuntimeConfig.config;
-            const bluebubblesChannel = machinePayload.bluebubblesChannel;
-            const port = numberField(bluebubblesChannel, "port", DEFAULT_BLUEBUBBLES_PORT);
-            probes.push({
-                ...(0, http_health_probe_1.createHttpHealthProbe)(`bluebubbles:${agent}`, port),
-                managedName: `${agent}:bluebubbles`,
-            });
+            // DELIBERATELY no HTTP health probe for BlueBubbles.
+            //
+            // We used to register `createHttpHealthProbe(...)` here, which GETs the
+            // sense's /health endpoint every ~60s with a 5s timeout. On 2026-05-11
+            // that caused a death spiral:
+            //   1. Sense gets busy with real work (e.g. VLM image describe → 20+s)
+            //   2. /health probe times out at 5s
+            //   3. Daemon declares the sense "critical" → SIGTERMs it mid-work
+            //   4. Sense respawns, recovery loop replays the same inbound message
+            //      into the agent's BB session (visible side-effect — slugger saw
+            //      the same user text injected 76 times)
+            //   5. New sense hits the same VLM call, gets killed at 5s, repeat
+            //
+            // The probe was redundant supervision: dead processes are already
+            // recaptured by `processManager`'s child-process exit handler. The
+            // probe specifically caught "alive but hung" cases — but the cost
+            // (killing genuinely-busy processes and replaying messages) far
+            // outweighed the benefit. For "alive but hung" detection we now
+            // rely on the agent's own awareness: BB sense's runtime.json carries
+            // pendingRecoveryCount + lastRecoveredAt, surfaced in the agent
+            // prompt. If recovery has been wedged for too long, the agent can
+            // call `restart_runtime` itself (see alpha.598 / PR #723).
+            //
+            // The respawn-loop guard in processManager is the backstop: even if
+            // something else triggers a tight respawn cycle for any reason, the
+            // guard fires and refuses further restarts after N attempts in M
+            // minutes, so we can never re-enter the 2026-05-11 spiral.
         }
         return probes;
     }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.601",
+  "version": "0.1.0-alpha.602",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",