npm - alvin-bot - Versions diffs - 4.4.6 → 4.4.7 - Mend

alvin-bot 4.4.6 → 4.4.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,43 @@
 All notable changes to Alvin Bot are documented here.
+## [4.4.7] — 2026-04-09
+### 🔐 Security / Dependencies
+**6 of 9 npm audit vulnerabilities fixed (non-breaking)** — Ran `npm audit fix` to patch the transitive `@xmldom/xmldom` XML injection, `basic-ftp` CRLF command injection, and `brace-expansion` DoS vulnerabilities. Also upgraded the direct dependency `@anthropic-ai/claude-agent-sdk` from `0.2.92` to `0.2.97` (latest, non-breaking patch release with no changes to the `query()` API surface Alvin-Bot uses).
+Remaining unaddressed (by design, require breaking upgrades or overrides):
+- `@anthropic-ai/sdk` Memory Tool sandbox escape — **not exploitable** in Alvin-Bot because the `Memory` tool is not listed in `allowedTools` (we only use `Read`, `Write`, `Edit`, `Bash`, `Glob`, `Grep`, `WebSearch`, `WebFetch`, `Task`).
+- `electron` (17 advisories) — waiting for a planned breaking upgrade to `electron@41.x`.
+### ✨ Stability Improvements
+**Session memory hygiene (`src/services/session.ts`)** — The in-memory `sessions` Map grew unbounded: every user that ever messaged the bot kept a full session object (including conversation history, cost breakdown, abort controller) forever. On a single-user bot like Ali's this is a non-issue; on any multi-user deployment it's a steady leak.
+New behavior:
+- **Conservative 7-day TTL**: a session is only eligible for cleanup after 7 full days of complete inactivity. Configurable via `ALVIN_SESSION_TTL_DAYS` env var.
+- **Never touches active sessions**: the cleanup loop explicitly skips any session with `isProcessing === true`.
+- **`lastActivity` touched on every `getSession()` call**: any interaction at all keeps the session alive indefinitely.
+- **Orphaned `abortController` cleanup** before removal (defensive).
+- Runs hourly; logs a message when it actually purges something.
+This is memory hygiene only — it cannot reduce Alvin-Bot's capabilities, permissions, or responsiveness. Active users see zero behavioral change.
+**MAX_BUDGET_USD tracking (`src/services/session.ts:trackProviderUsage`)** — The `MAX_BUDGET_USD` config was declared but never read anywhere. Now it's tracked as a **soft warning** (never a block):
+- When a session's cumulative cost crosses 80% of the configured budget, a `⚠️  Session budget 80% consumed` message is logged.
+- When it crosses 100%, a `💸 Session budget exceeded … bot continues (no hard limit enforced)` message is logged.
+- **The bot never blocks** — the warnings exist purely as operator signals. `/new` resets the warning flags so subsequent sessions get fresh thresholds.
+- `session.totalCost` is now correctly incremented (previously declared in the interface but never written to).
+### 📦 Compatibility
+No breaking changes. User-facing behavior is identical — same commands, same permissions, same response patterns. The only visible change is new log messages for cleanup events and budget thresholds.
+```bash
+npm update -g alvin-bot
+```
 ## [4.4.6] — 2026-04-09
 ### 🐛 Bug Fixes

package/dist/index.js CHANGED Viewed

@@ -60,6 +60,7 @@ import { loadPlugins, registerPluginCommands, unloadPlugins } from "./services/p
 import { initMCP, disconnectMCP, hasMCPConfig } from "./services/mcp.js";
 import { startWebServer } from "./web/server.js";
 import { startScheduler, stopScheduler, setNotifyCallback } from "./services/cron.js";
+import { startSessionCleanup, stopSessionCleanup } from "./services/session.js";
 import { processQueue, cleanupQueue, setSenders, enqueue } from "./services/delivery-queue.js";
 import { discoverTools } from "./services/tool-discovery.js";
 import { startHeartbeat } from "./services/heartbeat.js";
@@ -214,6 +215,7 @@ const shutdown = async () => {
     console.log("Graceful shutdown initiated...");
     cancelAllSubAgents();
     stopScheduler();
+    stopSessionCleanup();
     if (queueInterval)
         clearInterval(queueInterval);
     if (queueCleanupInterval)
@@ -348,6 +350,9 @@ setNotifyCallback(async (target, text) => {
     enqueue(target.platform, String(target.chatId), text);
 });
 startScheduler();
+// Session memory hygiene: purge sessions idle > 7 days (configurable via
+// ALVIN_SESSION_TTL_DAYS). Never touches active sessions — see session.ts.
+startSessionCleanup();
 // Wire delivery queue senders
 setSenders({
     telegram: async (chatId, content) => {

package/dist/services/session.js CHANGED Viewed

@@ -39,6 +39,11 @@ export function getSession(key) {
         };
         sessions.set(k, session);
     }
+    else {
+        // Touch lastActivity on every access so the cleanup interval
+        // never kills a session that's still being interacted with.
+        session.lastActivity = Date.now();
+    }
     return session;
 }
 export function resetSession(key) {
@@ -53,16 +58,85 @@ export function resetSession(key) {
     session.totalOutputTokens = 0;
     session.history = [];
     session.startedAt = Date.now();
+    // Reset budget warning flags so the user gets fresh warnings in the new session.
+    session._budgetWarned80 = false;
+    session._budgetWarned100 = false;
 }
 /** Track cost, query count, and tokens for a provider. */
 export function trackProviderUsage(key, providerKey, cost, inputTokens, outputTokens) {
     const session = getSession(key);
     session.costByProvider[providerKey] = (session.costByProvider[providerKey] || 0) + cost;
     session.queriesByProvider[providerKey] = (session.queriesByProvider[providerKey] || 0) + 1;
+    session.totalCost += cost;
     if (inputTokens)
         session.totalInputTokens += inputTokens;
     if (outputTokens)
         session.totalOutputTokens += outputTokens;
+    // Soft budget warnings — these NEVER block the bot. They exist purely
+    // as log signals so the operator (Ali) can notice unusually expensive
+    // sessions. Each threshold fires at most once per session (reset on /new).
+    const budget = config.maxBudgetUsd;
+    if (budget > 0) {
+        const pct = (session.totalCost / budget) * 100;
+        if (pct >= 100 && !session._budgetWarned100) {
+            console.warn(`💸 Session budget exceeded: $${session.totalCost.toFixed(4)} / $${budget.toFixed(2)} (${pct.toFixed(0)}%) — bot continues (no hard limit enforced)`);
+            session._budgetWarned100 = true;
+        }
+        else if (pct >= 80 && !session._budgetWarned80) {
+            console.warn(`⚠️  Session budget 80% consumed: $${session.totalCost.toFixed(4)} / $${budget.toFixed(2)}`);
+            session._budgetWarned80 = true;
+        }
+    }
+}
+// ── Session Cleanup ────────────────────────────────────────────────────────
+//
+// Memory hygiene for long-running deployments. The sessions Map would
+// otherwise grow unbounded as new users arrive. The cleanup is deliberately
+// *conservative*:
+//   • Default TTL: 7 days of complete inactivity (not 24h)
+//   • Never touches sessions where isProcessing === true
+//   • Touches lastActivity on every getSession() call, so any interaction
+//     in the last 7 days keeps the session alive indefinitely
+//   • Aborts orphaned abort controllers defensively before removal
+//
+// Override via ALVIN_SESSION_TTL_DAYS env var if you want different behavior.
+const SESSION_TTL_DAYS = Number(process.env.ALVIN_SESSION_TTL_DAYS) || 7;
+const SESSION_INACTIVE_TTL_MS = SESSION_TTL_DAYS * 24 * 60 * 60 * 1000;
+const CLEANUP_INTERVAL_MS = 60 * 60 * 1000; // check hourly
+let cleanupTimer = null;
+/** Start the periodic session cleanup. Safe to call multiple times. */
+export function startSessionCleanup() {
+    if (cleanupTimer)
+        return;
+    cleanupTimer = setInterval(() => {
+        const now = Date.now();
+        let purged = 0;
+        for (const [key, s] of sessions) {
+            // NEVER kill a session that's actively processing a query.
+            if (s.isProcessing)
+                continue;
+            if (now - s.lastActivity > SESSION_INACTIVE_TTL_MS) {
+                if (s.abortController) {
+                    try {
+                        s.abortController.abort();
+                    }
+                    catch { /* ignore */ }
+                }
+                sessions.delete(key);
+                purged++;
+            }
+        }
+        if (purged > 0) {
+            console.log(`🧹 Session cleanup: purged ${purged} inactive session(s) (TTL: ${SESSION_TTL_DAYS} days)`);
+        }
+    }, CLEANUP_INTERVAL_MS);
+}
+/** Stop the cleanup timer (for graceful shutdown). */
+export function stopSessionCleanup() {
+    if (cleanupTimer) {
+        clearInterval(cleanupTimer);
+        cleanupTimer = null;
+    }
 }
 /** Add a message to conversation history (for non-SDK providers). */
 export function addToHistory(key, message) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "alvin-bot",
-  "version": "4.4.6",
+  "version": "4.4.7",
   "description": "Alvin Bot — Your personal AI agent on Telegram, WhatsApp, Discord, Signal, and Web.",
   "type": "module",
   "main": "dist/index.js",
@@ -159,7 +159,7 @@
     "url": "git+https://github.com/alvbln/Alvin-Bot.git"
   },
   "dependencies": {
-    "@anthropic-ai/claude-agent-sdk": "^0.2.92",
+    "@anthropic-ai/claude-agent-sdk": "^0.2.97",
     "@hapi/boom": "^10.0.1",
     "@slack/bolt": "^4.6.0",
     "@types/node": "^22.0.0",