@venturewild/workspace 0.1.1 → 0.1.3

package/server/src/session-reporter.mjs

@@ -0,0 +1,201 @@
+// SessionReporter — the proactive, consented "is this user okay?" feed.
+//
+// WHY: the get-in path is self-serve, but if a real user gets stuck or their
+// install breaks, we were blind unless they ran `operator enable` and messaged
+// us — which makes us a bottleneck (docs/user-experience.md §5). This forwards a
+// LIVE, REDACTED stream of session events + install health to bmo-sync, keyed by
+// account, established at first load — so a stuck/broken user is never invisible
+// and never has to ask.
+//
+// PRIVACY — the load-bearing boundary: this feed carries WHAT happened (a turn
+// ran, tool X fired, an error, token/cost), NEVER the words. Chat text, tool
+// inputs, file contents, and paths are reduced to lengths/counts before anything
+// leaves the machine. Conversation *content* is a separate, separately-consented
+// channel (transcript.mjs). `redactEvent` is an ALLOWLIST projection — any event
+// type we don't explicitly model forwards only `{type}`, so a new event can
+// never leak by default. The matching test asserts a secret typed into a chat
+// turn never appears in the payload.
+//
+// Modeled on error-reporter.mjs (fire-and-forget, rate-limited, disable-able).
+// Gated by BOTH consent (user toggle) AND the shared WILD_WORKSPACE_NO_TELEMETRY
+// kill switch; inert without an accountToken (can't key it) or on a localhost
+// bmo-sync URL (dev).
+
+import os from 'node:os';
+import { APP_VERSION } from './config.mjs';
+
+function sanitizeUsage(u) {
+  if (!u || typeof u !== 'object') return null;
+  const out = {
+    input_tokens: Number(u.input_tokens) || 0,
+    output_tokens: Number(u.output_tokens) || 0,
+  };
+  if (typeof u.cost_usd === 'number') out.cost_usd = u.cost_usd;
+  return out;
+}
+
+/**
+ * Project one ActivityBus event to a SAFE shape. Allowlist by type; anything not
+ * listed forwards only {type, ts, id}. NEVER returns chat text, tool inputs,
+ * file paths, or file contents.
+ */
+export function redactEvent(ev) {
+  if (!ev || typeof ev !== 'object') return null;
+  const base = { type: ev.type, ts: ev.ts, id: ev.id };
+  if (ev.messageId) base.messageId = ev.messageId;
+  switch (ev.type) {
+    case 'chat-user':
+      // The user's prompt — length only, never the words.
+      return { ...base, textLen: typeof ev.text === 'string' ? ev.text.length : 0 };
+    case 'chat-stream': {
+      const c = ev.chunk || {};
+      const safe = { ...base, chunkType: c.type };
+      if (c.type === 'text' && typeof c.text === 'string') safe.textLen = c.text.length;
+      // tool NAME is safe ("Edit", "Bash"); the tool INPUT is not — never forward it.
+      if (c.type === 'tool-use') safe.tool = typeof c.name === 'string' ? c.name : c.tool || null;
+      if (c.type === 'usage' && c.usage) safe.usage = sanitizeUsage(c.usage);
+      if (c.type === 'error') safe.hasError = true; // the flag, not the message
+      return safe;
+    }
+    case 'usage':
+      return { ...base, usage: sanitizeUsage(ev.usage) };
+    case 'chat-end':
+      return { ...base, code: ev.code };
+    case 'identity-changed':
+      return { ...base, tone: ev.tone || null }; // tone only; drop the agent's name
+    case 'onboarded':
+      return { ...base, at: ev.at || null };
+    case 'agent-changed':
+      return { ...base, agentId: ev.agentId || null };
+    case 'daemon-status':
+      return { ...base, status: ev.status || null };
+    case 'operator-action':
+      return { ...base, action: ev.action || null }; // action verb, not its detail
+    case 'inbox-change':
+      return { ...base, count: Array.isArray(ev.snapshot) ? ev.snapshot.length : undefined };
+    case 'presence-join':
+    case 'presence-leave':
+    case 'presence-focus':
+      // sessionId + role are safe; `focus` can be a file path → dropped.
+      return { ...base, sessionId: ev.sessionId, role: ev.role };
+    default:
+      // Unknown event → minimal envelope only. Privacy fails CLOSED.
+      return { type: ev.type, ts: ev.ts, id: ev.id };
+  }
+}
+
+const FLUSH_INTERVAL_MS = 15_000; // batch window
+const MAX_BATCH = 50; //            flush early once this many buffer
+const MAX_BUFFER = 500; //          hard cap — drop oldest beyond this
+
+export class SessionReporter {
+  constructor({
+    bmoSyncUrl,
+    accountToken,
+    slug = null,
+    workspaceId = 'workspace',
+    sessionId = null,
+    enabled = true,
+    endpointPath = '/api/telemetry',
+    flushIntervalMs = FLUSH_INTERVAL_MS,
+    maxBatch = MAX_BATCH,
+    fetchImpl = (...a) => globalThis.fetch(...a),
+    nowImpl = () => Date.now(),
+  } = {}) {
+    this.bmoSyncUrl = bmoSyncUrl ? bmoSyncUrl.replace(/\/$/, '') : null;
+    this.accountToken = accountToken || null;
+    this.slug = slug;
+    this.workspaceId = workspaceId;
+    this.sessionId = sessionId;
+    this.endpointPath = endpointPath;
+    this.flushIntervalMs = flushIntervalMs;
+    this.maxBatch = maxBatch;
+    this.fetchImpl = fetchImpl;
+    this.nowImpl = nowImpl;
+    this.buffer = [];
+    this.timer = null;
+    // Inert without a token, without a server, or on localhost (dev).
+    this._capable =
+      Boolean(this.accountToken) &&
+      Boolean(this.bmoSyncUrl) &&
+      !this.bmoSyncUrl.startsWith('http://127') &&
+      !this.bmoSyncUrl.startsWith('http://localhost');
+    this.enabled = enabled !== false && this._capable;
+  }
+
+  /** Live consent toggle — no restart needed when the user flips observability. */
+  setEnabled(on) {
+    this.enabled = Boolean(on) && this._capable;
+    if (!this.enabled) this.buffer = [];
+  }
+
+  /** Feed one ActivityBus event. Redacts + buffers; flushes on size. No-op when off. */
+  ingest(ev) {
+    if (!this.enabled) return;
+    const safe = redactEvent(ev);
+    if (!safe) return;
+    this.buffer.push(safe);
+    if (this.buffer.length > MAX_BUFFER) this.buffer.splice(0, this.buffer.length - MAX_BUFFER);
+    if (this.buffer.length >= this.maxBatch) this.flush();
+  }
+
+  /** POST the install-health snapshot alongside events (called by the supervisor path too). */
+  envelope(events, extra = {}) {
+    return {
+      account_token: this.accountToken,
+      slug: this.slug,
+      workspace_id: this.workspaceId,
+      session_id: this.sessionId,
+      app_version: APP_VERSION,
+      os: `${os.platform()}-${os.arch()}`,
+      sent_at: Math.floor(this.nowImpl() / 1000),
+      events,
+      ...extra,
+    };
+  }
+
+  /** Fire-and-forget flush of the current buffer. Never throws. */
+  flush() {
+    if (!this.enabled || !this.buffer.length) return;
+    const events = this.buffer;
+    this.buffer = [];
+    this._post(this.envelope(events));
+  }
+
+  _post(body) {
+    const url = `${this.bmoSyncUrl}${this.endpointPath}`;
+    const ctrl = new AbortController();
+    const timer = setTimeout(() => ctrl.abort(), 5000);
+    if (timer.unref) timer.unref();
+    let p;
+    try {
+      // Call synchronously so the request is observable without awaiting a tick.
+      p = this.fetchImpl(url, {
+        method: 'POST',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify(body),
+        signal: ctrl.signal,
+      });
+    } catch {
+      clearTimeout(timer);
+      return; // telemetry must never break the user's path
+    }
+    Promise.resolve(p)
+      .catch(() => {})
+      .finally(() => clearTimeout(timer));
+  }
+
+  start() {
+    if (this.timer || !this._capable) return;
+    this.timer = setInterval(() => this.flush(), this.flushIntervalMs);
+    if (this.timer.unref) this.timer.unref(); // never keep the process alive
+  }
+
+  stop() {
+    if (this.timer) {
+      clearInterval(this.timer);
+      this.timer = null;
+    }
+    this.flush();
+  }
+}

package/server/src/supervisor.mjs

@@ -0,0 +1,217 @@
+// WorkspaceSupervisor — keeps the wild-workspace server alive in the background.
+//
+// The server itself auto-starts the bmo-sync daemon on boot (DaemonSupervisor),
+// so keeping the server up brings the whole local stack — public URL included —
+// back to life. This is the watchdog half of the always-on feature
+// (docs/always-on-design.md); `service.mjs` is the per-OS autostart half that
+// launches this hidden at login via `wild-workspace service run`.
+//
+// Design (all proven on Windows incl. a real reboot, 2026-05-30):
+//  - Health-driven: polls GET /api/health and (re)spawns the server only when
+//    it is down — so it never fights a server someone else started and handles
+//    crash recovery naturally.
+//  - Singleton: an exclusive lockfile in the machine-global dir
+//    (~/.wild-workspace, NEVER the synced workspace — locked principle #1).
+//    A stale lock whose pid is dead is taken over.
+//  - Exponential backoff (capped) so a crash-looping server can't spin the CPU.
+//  - Everything is logged — silent death is the #1 un-debuggable failure mode.
+//
+// Every external touch-point (spawn, health probe, clock) is an injected seam
+// so the suite never spawns a real process.
+
+import { spawn } from 'node:child_process';
+import http from 'node:http';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const DEFAULT_SERVER_ENTRY = path.join(__dirname, 'index.mjs');
+
+/** Resolve true iff the local server answers /api/health. Never throws. */
+export function probeHealth(port, timeoutMs = 2500) {
+  return new Promise((resolve) => {
+    const req = http.get(
+      { host: '127.0.0.1', port, path: '/api/health', timeout: timeoutMs },
+      (res) => { res.resume(); resolve(res.statusCode > 0); },
+    );
+    req.on('error', () => resolve(false));
+    req.on('timeout', () => { req.destroy(); resolve(false); });
+  });
+}
+
+export class WorkspaceSupervisor {
+  constructor({
+    serverEntry = DEFAULT_SERVER_ENTRY,
+    workspaceDir = process.cwd(),
+    port = Number(process.env.WILD_WORKSPACE_PORT || 5173),
+    globalDir = path.join(os.homedir(), '.wild-workspace'),
+    node = process.execPath,
+    pollMs = 3000,
+    backoffStartMs = 1000,
+    backoffMaxMs = 30000,
+    probeTimeoutMs = 2500,
+    spawnImpl = spawn,
+    probeImpl = probeHealth,
+    nowImpl = () => Date.now(),
+    env = process.env,
+    crashLoopThreshold = 3,
+    diagnosticsImpl = null,
+  } = {}) {
+    Object.assign(this, {
+      serverEntry, workspaceDir, port, globalDir, node, pollMs,
+      backoffStartMs, backoffMaxMs, probeTimeoutMs, spawnImpl, probeImpl, nowImpl, env,
+      crashLoopThreshold, diagnosticsImpl,
+    });
+    this.logFile = path.join(globalDir, 'supervisor.log');
+    this.serverLogFile = path.join(globalDir, 'server.out.log');
+    this.lockFile = path.join(globalDir, 'supervisor.lock');
+    this.child = null;
+    this.backoff = backoffStartMs;
+    this.lastSpawn = 0;
+    this.timer = null;
+    this.spawnCount = 0; //        consecutive spawns without becoming healthy
+    this.pushedThisEpisode = false; // crash-loop diagnostics pushed once per episode
+  }
+
+  log(msg) {
+    try { fs.appendFileSync(this.logFile, `[${new Date().toISOString()}] ${msg}\n`); } catch { /* best-effort */ }
+  }
+
+  /** Is a pid alive? EPERM means "exists, not ours" → still alive. */
+  pidAlive(pid) {
+    try { process.kill(pid, 0); return true; } catch (e) { return !!(e && e.code === 'EPERM'); }
+  }
+
+  /** Exclusive lock; take over ONLY a stale lock (recorded pid no longer alive). */
+  acquireLock() {
+    try { fs.mkdirSync(this.globalDir, { recursive: true }); } catch { /* surfaced below */ }
+    try {
+      const fd = fs.openSync(this.lockFile, 'wx');
+      fs.writeSync(fd, String(process.pid));
+      fs.closeSync(fd);
+      return true;
+    } catch {
+      let old = null;
+      try { old = Number(fs.readFileSync(this.lockFile, 'utf8').trim()); } catch { /* unreadable */ }
+      if (old && this.pidAlive(old)) {
+        this.log(`live supervisor pid=${old} already running; exiting`);
+        return false;
+      }
+      try { fs.writeFileSync(this.lockFile, String(process.pid)); this.log('took over stale lock'); return true; }
+      catch { return false; }
+    }
+  }
+
+  releaseLock() {
+    try {
+      if (Number(fs.readFileSync(this.lockFile, 'utf8').trim()) === process.pid) fs.unlinkSync(this.lockFile);
+    } catch { /* already gone */ }
+  }
+
+  spawnServer() {
+    let out = 'ignore';
+    try { out = fs.openSync(this.serverLogFile, 'a'); } catch { /* output discarded */ }
+    this.child = this.spawnImpl(this.node, [this.serverEntry], {
+      cwd: this.workspaceDir,
+      windowsHide: true,
+      stdio: ['ignore', out, out],
+      env: { ...this.env, WILD_WORKSPACE_NO_OPEN: '1', WILD_WORKSPACE_DIR: this.workspaceDir },
+    });
+    if (typeof out === 'number') { try { fs.closeSync(out); } catch { /* parent fd */ } }
+    this.lastSpawn = this.nowImpl();
+    const pid = this.child && this.child.pid;
+    this.log(`spawned server pid=${pid} (backoff=${this.backoff}ms)`);
+    if (this.child && this.child.on) {
+      this.child.on('exit', (code, sig) => { this.log(`server pid=${pid} exited code=${code} sig=${sig}`); this.child = null; });
+    }
+    return this.child;
+  }
+
+  /** One supervision step. Returns its decision (exposed for tests). */
+  async tick() {
+    if (await this.probeImpl(this.port, this.probeTimeoutMs)) {
+      this.backoff = this.backoffStartMs; // healthy → reset backoff
+      this.spawnCount = 0; //              healthy → not a crash loop
+      this.pushedThisEpisode = false;
+      return 'healthy';
+    }
+    if (this.child) return 'booting';                                  // spawned, still coming up
+    if (this.nowImpl() - this.lastSpawn < this.backoff) return 'backoff';
+    this.spawnServer();
+    this.backoff = Math.min(this.backoff * 2, this.backoffMaxMs);
+    this.spawnCount += 1;
+    // Crash loop: the server won't stay up, so the operator channel (which rides
+    // the :5173 server) can't reach this machine at all. Push an install-down
+    // `doctor` bundle to bmo-sync ONCE per episode so support sees it anyway —
+    // the install-failed-before-server-up case (docs/user-experience.md §5).
+    if (this.spawnCount >= this.crashLoopThreshold && !this.pushedThisEpisode) {
+      this.pushedThisEpisode = true;
+      Promise.resolve(this.pushDiagnostics()).catch((e) => this.log(`diag push error: ${e?.message || e}`));
+    }
+    return 'spawned';
+  }
+
+  /**
+   * Push an install-down diagnostic bundle to bmo-sync. Injected (`diagnosticsImpl`)
+   * in tests; the real path is consent- + token-gated and never runs under the
+   * test runner. Best-effort, never throws into the supervision loop.
+   */
+  async pushDiagnostics() {
+    if (this.diagnosticsImpl) return this.diagnosticsImpl(this);
+    if (process.env.VITEST || process.env.NODE_ENV === 'test') return;
+    try {
+      const [{ buildConfig }, { runDoctor }, { loadObservabilityConsent }] = await Promise.all([
+        import('./config.mjs'),
+        import('./doctor.mjs'),
+        import('./observability.mjs'),
+      ]);
+      const config = buildConfig({ workspaceDir: this.workspaceDir, port: this.port });
+      if (!config.accountToken) return; //                        can't key it to a user
+      if (process.env.WILD_WORKSPACE_NO_TELEMETRY === '1') return; // kill switch
+      if (!loadObservabilityConsent(config.dataDir).enabled) return; // consent
+      const report = await runDoctor({ config });
+      const url = `${config.bmoSyncServerUrl.replace(/\/$/, '')}/api/telemetry`;
+      const ctrl = new AbortController();
+      const t = setTimeout(() => ctrl.abort(), 5000);
+      try {
+        await fetch(url, {
+          method: 'POST',
+          headers: { 'content-type': 'application/json' },
+          body: JSON.stringify({
+            account_token: config.accountToken,
+            slug: config.account?.slug || null,
+            workspace_id: config.workspaceId,
+            kind: 'install-down',
+            doctor: report,
+            sent_at: Math.floor(Date.now() / 1000),
+          }),
+          signal: ctrl.signal,
+        });
+        this.log(`pushed install-down diagnostics (fail=${report.summary?.fail})`);
+      } finally {
+        clearTimeout(t);
+      }
+    } catch (e) {
+      this.log(`diagnostics push failed: ${e?.message || e}`);
+    }
+  }
+
+  /** Acquire the lock and start the supervision loop. Idempotent across processes. */
+  start() {
+    if (!this.acquireLock()) return { started: false, reason: 'already-running' };
+    process.on('exit', () => this.releaseLock());
+    process.on('SIGTERM', () => process.exit(0));
+    process.on('SIGINT', () => process.exit(0));
+    this.log(`supervisor start pid=${process.pid} watching http://127.0.0.1:${this.port}/api/health (workspace=${this.workspaceDir})`);
+    this.timer = setInterval(() => { this.tick().catch((e) => this.log(`tick error: ${e?.message || e}`)); }, this.pollMs);
+    this.tick().catch((e) => this.log(`tick error: ${e?.message || e}`));
+    return { started: true };
+  }
+
+  stop() {
+    if (this.timer) { clearInterval(this.timer); this.timer = null; }
+    this.releaseLock();
+  }
+}