alvin-bot 4.8.3 → 4.8.5

package/CHANGELOG.md

@@ -2,6 +2,71 @@
 
 All notable changes to Alvin Bot are documented here.
 
+## [4.8.5] — 2026-04-11
+
+### 🐛 `/update` now works for npm-global installs
+
+Caught on the test MacBook: `/update` reported *"Already up to date — no new commits"* even though npm had a newer version published. Root cause was two separate bugs feeding into each other.
+
+**Bug 1 — false git-repo detection**. `isGitRepo()` used `git rev-parse --is-inside-work-tree` which walks up the directory tree looking for any ancestor `.git` folder. On the test MacBook, `alvin-bot` was installed at `/opt/homebrew/lib/node_modules/alvin-bot/` which has no `.git` itself — but Homebrew stores its formula tree at `/opt/homebrew/` as a git repo. So `git rev-parse` walked up, found Homebrew's `.git`, and returned `true`. The updater then dutifully fetched Homebrew's upstream (which was up-to-date), found 0 new commits, and reported "Already up to date" — about the wrong repository.
+
+**Fix**: `isOwnGitRepo()` now does a strict check for `PROJECT_ROOT/.git` directly, no directory walk. False positives from ancestor git repos are impossible.
+
+**Bug 2 — no update path for npm-global installs**. Even with a correct `isGitRepo()` check, the updater would return *"Not in a git repo — update only supported for source installs."* for npm-global installs. That meant you could never update an npm-installed alvin-bot from within the bot itself.
+
+**Fix**: New `runNpmUpdate()` path that kicks in when `PROJECT_ROOT` looks like a `node_modules/alvin-bot` install (covers Homebrew node, plain npm, nvm, volta). It:
+
+1. Reads the local version from `package.json`
+2. Queries `npm view alvin-bot version` for the latest published version
+3. Compares via a tiny semver compare
+4. If newer: runs `npm install -g alvin-bot@latest --no-audit --no-fund` (5 minute timeout)
+5. Signals the caller to restart so the new code takes effect
+6. Detects `EACCES` and suggests `sudo` explicitly instead of a cryptic error
+
+Also improved the git path: falls back to `npm install` + `npm run build` when `pnpm-lock.yaml` doesn't exist (previously hard-coded pnpm).
+
+After 4.8.5, `/update` on the test MacBook will correctly detect the npm install, see that v4.8.4 is the latest, fetch it, and restart. No more false-positive "up to date" when a newer release is out.
+
+## [4.8.4] — 2026-04-11
+
+### 🐛 WhatsApp self-chat detection for the new `@lid` identity format
+
+Ali reported that the WhatsApp bot wasn't responding to "Hi" in his self-chat even after enabling both `Self-chat only` and `Reply to private messages` in the Web UI. Debug logging showed the bot receiving the message correctly and detecting `fromMe=true`, but then hitting the "skip: own message in group/DM" branch because `isSelfChat()` was returning `false`.
+
+**Root cause**: WhatsApp has rolled out a new privacy feature that replaces phone-number JIDs in self-chats (and some groups) with a **LID — Linked Identity**. Instead of `4917661236656@s.whatsapp.net`, messages in a self-chat now arrive with `jid = "162805718225143@lid"` — a completely opaque identifier that looks nothing like the phone number.
+
+Our `isSelfChat(jid)` compared the incoming JID against `sock.user.id` (the traditional phone-number format `4917661236656:22@s.whatsapp.net`), stripped the device suffix, and compared the bare numbers. But the LID has a completely different number (`162805718225143`), so the match failed and every self-chat message fell through to the "own message in DM" skip branch.
+
+**Fix**: `isSelfChat()` now checks **both** identity formats:
+
+- **Traditional phone JID** via `sock.user.id` (legacy path, still matches on older WhatsApp clients)
+- **LID** via `sock.user.lid` (baileys ≥ 6.7 exposes this) with `@lid` suffix matching
+
+Either match wins. The check short-circuits on groups (`@g.us`) so the new code never misclassifies a group as self-chat.
+
+Caught on the Mac mini production bot after midnight — WhatsApp connected, QR scanned, user sending "Hi", bot silent. Debug logging revealed the actual incoming JID (`162805718225143@lid`) which immediately pointed at the LID format as the culprit.
+
+### 🧹 Dual-bot session collision (root cause of WhatsApp reconnect flapping)
+
+While debugging the `@lid` issue above, the test revealed a deeper problem: two `node dist/index.js` processes were running simultaneously on the Mac mini (PID 47744 from an earlier `launchctl kickstart` that didn't cleanly kill the old instance, plus PID 49153 from a new `launchd install`). Both processes were trying to hold the same WhatsApp Multi-Device session at the same time, causing:
+
+- WhatsApp `Reconnecting in 3s` every few seconds (each process would claim the session, the other would be kicked)
+- Baileys `Closing session` dumps to the log
+- Signal session state corruption → "Warte auf diese Nachricht" (waiting-to-decrypt) messages appearing spontaneously in the self-chat
+
+**Short-term workaround**: explicit `pkill -9 -f 'node.*alvin-bot/dist/index'` before `launchctl kickstart` to ensure only one process is running.
+
+**Session wipe procedure** (when the corruption is already baked in):
+
+1. `launchctl unload -w ~/Library/LaunchAgents/com.alvinbot.app.plist`
+2. `pkill -9 -f "node.*alvin-bot/dist/index"`
+3. `rm -rf ~/.alvin-bot/data/whatsapp-auth`
+4. Remove the zombie linked-device from your phone (iPhone Settings → Linked Devices → remove all "Alvin Bot" entries)
+5. `launchctl load -w ~/Library/LaunchAgents/com.alvinbot.app.plist`
+6. Re-scan the QR code
+
+A future release should add a proper `alvin-bot wa reset` command to automate this and a startup check that refuses to boot if another instance is already running.
+
 ## [4.8.3] — 2026-04-11
 
 ### 🐛 Critical: Claude SDK heartbeat false-positive "unavailable"

package/dist/platforms/whatsapp.js

@@ -536,10 +536,38 @@ export class WhatsAppAdapter {
         await this.handler(incoming);
     }
     isSelfChat(jid) {
-        const myJid = this.sock?.user?.id;
-        if (!myJid)
+        if (!this.sock?.user)
             return false;
-        return normalizeJid(jid) === normalizeJid(myJid);
+        // Groups are never self-chat regardless of which identity format
+        // the group uses.
+        if (jid.endsWith("@g.us"))
+            return false;
+        // WhatsApp has two identity formats that can appear in self-chat:
+        //   1. Traditional phone-number JID: 49176...:22@s.whatsapp.net
+        //   2. LID (linked identity): 162805718...@lid — privacy feature
+        //      added in 2024 that hides the real phone number in self-chats
+        //      and some groups. Baileys exposes this as sock.user.lid.
+        //
+        // Check both so self-chat detection works regardless of which
+        // format WhatsApp chose to tag the chat with today.
+        const user = this.sock.user;
+        const myId = user.id;
+        const myLid = user.lid;
+        // Match against phone-number JID (traditional path)
+        if (myId) {
+            const myNumber = jidToNumber(myId);
+            const jidNumber = jidToNumber(jid);
+            if (myNumber && jidNumber && myNumber === jidNumber)
+                return true;
+        }
+        // Match against LID (new privacy format)
+        if (myLid && jid.endsWith("@lid")) {
+            const myLidNum = jidToNumber(myLid);
+            const jidLidNum = jidToNumber(jid);
+            if (myLidNum && jidLidNum && myLidNum === jidLidNum)
+                return true;
+        }
+        return false;
     }
     // ── Public API: Groups ────────────────────────────────────────────────────
     async getGroups() {

package/dist/services/updater.js

@@ -25,83 +25,179 @@ const DATA_DIR = process.env.ALVIN_DATA_DIR || resolve(os.homedir(), ".alvin-bot
 const FLAG_FILE = resolve(DATA_DIR, "auto-update.flag");
 const AUTO_CHECK_INTERVAL_MS = 6 * 60 * 60 * 1000; // 6 hours
 let autoTimer = null;
-async function isGitRepo() {
+/**
+ * Is PROJECT_ROOT itself a git repository? We deliberately do NOT use
+ * `git rev-parse --is-inside-work-tree` because that walks UP the
+ * directory tree and would return true for any ancestor that happens
+ * to be a git repo — e.g. Homebrew stores its formula tree in a git
+ * repo at /opt/homebrew/, so a npm-global install of alvin-bot under
+ * /opt/homebrew/lib/node_modules/alvin-bot would be reported as a git
+ * repo even though it's just plain files shipped via npm.
+ *
+ * The strict check: does PROJECT_ROOT/.git exist?
+ */
+function isOwnGitRepo() {
+    return fs.existsSync(resolve(PROJECT_ROOT, ".git"));
+}
+/**
+ * Heuristic for "this is an npm-global install": PROJECT_ROOT sits
+ * inside a node_modules/alvin-bot directory. Covers:
+ *   - /opt/homebrew/lib/node_modules/alvin-bot (Homebrew node)
+ *   - /usr/local/lib/node_modules/alvin-bot (plain npm)
+ *   - ~/.nvm/versions/node/...alvin-bot (nvm)
+ *   - ~/.volta/tools/image/packages/...alvin-bot (volta)
+ */
+function isNpmGlobalInstall() {
+    return /node_modules[/\\]alvin-bot$/.test(PROJECT_ROOT) || PROJECT_ROOT.includes("node_modules/alvin-bot/");
+}
+function readLocalVersion() {
     try {
-        const { stdout } = await execAsync("git rev-parse --is-inside-work-tree", {
-            cwd: PROJECT_ROOT,
-            timeout: 5_000,
+        const pkgPath = resolve(PROJECT_ROOT, "package.json");
+        const raw = fs.readFileSync(pkgPath, "utf-8");
+        const parsed = JSON.parse(raw);
+        return parsed.version ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+async function fetchRemoteVersion() {
+    try {
+        const { stdout } = await execAsync("npm view alvin-bot version", {
+            timeout: 15_000,
         });
-        return stdout.trim() === "true";
+        return stdout.trim() || null;
     }
     catch {
-        return false;
+        return null;
+    }
+}
+/** Semver-compare A vs B. Returns negative if A < B, 0 if equal, positive if A > B. */
+function compareSemver(a, b) {
+    const norm = (v) => v.replace(/^v/, "").split(/[.-]/).map((p) => parseInt(p, 10) || 0);
+    const av = norm(a);
+    const bv = norm(b);
+    for (let i = 0; i < Math.max(av.length, bv.length); i++) {
+        const diff = (av[i] ?? 0) - (bv[i] ?? 0);
+        if (diff !== 0)
+            return diff;
     }
+    return 0;
 }
 /** Pull latest changes, install deps, rebuild. Returns a structured result
- * instead of throwing so the /update command can report cleanly to Telegram. */
+ *  instead of throwing so the /update command can report cleanly to Telegram.
+ *  Dispatches to the git path for source installs and the npm path for
+ *  npm-global installs. */
 export async function runUpdate() {
     try {
-        const isRepo = await isGitRepo();
-        if (!isRepo) {
-            return {
-                ok: false,
-                message: "Not in a git repo — update only supported for source installs.",
-                requiresRestart: false,
-            };
-        }
-        // Fetch latest without merging
-        await execAsync("git fetch --quiet", {
-            cwd: PROJECT_ROOT,
-            timeout: 30_000,
-        });
-        // Count commits we're behind the upstream
-        let behindCount = 0;
-        try {
-            const { stdout } = await execAsync("git rev-list --count HEAD..@{upstream}", {
-                cwd: PROJECT_ROOT,
-                timeout: 10_000,
-            });
-            behindCount = parseInt(stdout.trim() || "0", 10);
-        }
-        catch {
-            // No upstream configured — treat as up-to-date
-            behindCount = 0;
+        if (isOwnGitRepo()) {
+            return await runGitUpdate();
         }
-        if (behindCount === 0) {
-            return {
-                ok: true,
-                message: "Already up to date — no new commits.",
-                requiresRestart: false,
-            };
+        if (isNpmGlobalInstall()) {
+            return await runNpmUpdate();
         }
-        // Fast-forward pull (refuses to merge if history diverged)
-        await execAsync("git pull --ff-only", {
-            cwd: PROJECT_ROOT,
-            timeout: 60_000,
-        });
-        // Install (frozen lockfile to match upstream exactly)
-        await execAsync("pnpm install --frozen-lockfile", {
-            cwd: PROJECT_ROOT,
-            timeout: 180_000,
-        });
-        // Build
-        await execAsync("pnpm run build", {
+        return {
+            ok: false,
+            message: "Update not supported for this install type. Clone the git repo or use npm install -g alvin-bot.",
+            requiresRestart: false,
+        };
+    }
+    catch (err) {
+        const raw = err instanceof Error ? err.message : String(err);
+        const message = raw.length > 300 ? raw.slice(0, 300) + "…" : raw;
+        return { ok: false, message, requiresRestart: false };
+    }
+}
+async function runGitUpdate() {
+    // Fetch latest without merging
+    await execAsync("git fetch --quiet", {
+        cwd: PROJECT_ROOT,
+        timeout: 30_000,
+    });
+    // Count commits we're behind the upstream
+    let behindCount = 0;
+    try {
+        const { stdout } = await execAsync("git rev-list --count HEAD..@{upstream}", {
             cwd: PROJECT_ROOT,
-            timeout: 180_000,
+            timeout: 10_000,
         });
+        behindCount = parseInt(stdout.trim() || "0", 10);
+    }
+    catch {
+        behindCount = 0;
+    }
+    if (behindCount === 0) {
+        return {
+            ok: true,
+            message: "Already up to date — no new commits.",
+            requiresRestart: false,
+        };
+    }
+    // Fast-forward pull
+    await execAsync("git pull --ff-only", {
+        cwd: PROJECT_ROOT,
+        timeout: 60_000,
+    });
+    // Prefer pnpm if the lockfile exists, otherwise fall back to npm
+    const hasPnpmLock = fs.existsSync(resolve(PROJECT_ROOT, "pnpm-lock.yaml"));
+    const installCmd = hasPnpmLock ? "pnpm install --frozen-lockfile" : "npm install --no-audit --no-fund";
+    const buildCmd = hasPnpmLock ? "pnpm run build" : "npm run build";
+    await execAsync(installCmd, { cwd: PROJECT_ROOT, timeout: 180_000 });
+    await execAsync(buildCmd, { cwd: PROJECT_ROOT, timeout: 180_000 });
+    return {
+        ok: true,
+        message: `Installed ${behindCount} commit(s), build successful.`,
+        requiresRestart: true,
+    };
+}
+async function runNpmUpdate() {
+    const current = readLocalVersion();
+    const latest = await fetchRemoteVersion();
+    if (!latest) {
+        return {
+            ok: false,
+            message: "Could not reach npm registry — check your internet connection.",
+            requiresRestart: false,
+        };
+    }
+    if (current && compareSemver(current, latest) >= 0) {
         return {
             ok: true,
-            message: `Installed ${behindCount} commit(s), build successful.`,
-            requiresRestart: true,
+            message: `Already up to date — v${current} is the latest published version.`,
+            requiresRestart: false,
         };
     }
+    // Newer version exists — install it globally. npm install -g writes to
+    // the globally-scoped node_modules directory (/opt/homebrew/lib/… on
+    // Homebrew, /usr/local/lib/… on plain npm). The running process still
+    // has the old code loaded in memory, so after install we signal the
+    // caller to restart.
+    try {
+        await execAsync("npm install -g alvin-bot@latest --no-audit --no-fund", {
+            timeout: 300_000, // 5 minutes for large installs
+        });
+    }
     catch (err) {
         const raw = err instanceof Error ? err.message : String(err);
-        // Keep error messages short — Telegram has a 4096 char limit and the
-        // user doesn't need a 50-line stack trace.
-        const message = raw.length > 300 ? raw.slice(0, 300) + "…" : raw;
-        return { ok: false, message, requiresRestart: false };
+        // Permission errors are the most common npm -g failure mode
+        if (/EACCES|permission denied/i.test(raw)) {
+            return {
+                ok: false,
+                message: `npm install -g failed with permissions. Try: sudo npm install -g alvin-bot@latest`,
+                requiresRestart: false,
+            };
+        }
+        return {
+            ok: false,
+            message: `npm install failed: ${raw.slice(0, 200)}`,
+            requiresRestart: false,
+        };
     }
+    return {
+        ok: true,
+        message: `Installed v${latest} (was v${current ?? "?"}). Restarting...`,
+        requiresRestart: true,
+    };
 }
 export function getAutoUpdate() {
     try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "alvin-bot",
-  "version": "4.8.3",
+  "version": "4.8.5",
   "description": "Alvin Bot — Your personal AI agent on Telegram, WhatsApp, Discord, Signal, and Web.",
   "type": "module",
   "main": "dist/index.js",