alvin-bot 4.8.4 → 4.8.6

package/CHANGELOG.md

@@ -2,6 +2,57 @@
 
 All notable changes to Alvin Bot are documented here.
 
+## [4.8.6] — 2026-04-11
+
+### 🐛 LaunchAgent: `/restart` left the bot down forever
+
+Caught on the Mac mini production bot: running `/restart` in Telegram killed the bot cleanly but the process never came back, leaving the bot dead until manual intervention.
+
+**Root cause**: The 4.6.0 LaunchAgent plist template hardcoded a conditional `KeepAlive`:
+
+```xml
+<key>KeepAlive</key>
+<dict>
+    <key>SuccessfulExit</key>
+    <false/>   <!-- don't restart on normal exit -->
+    <key>Crashed</key>
+    <true/>    <!-- only restart on crash -->
+</dict>
+```
+
+That meant launchd would only auto-restart on **crashes**, not on normal exits. But `/restart` (and `/update`) work by calling `process.exit(0)` — a deliberate clean exit — and relying on the process manager to bring the bot back up. With pm2 this always worked because pm2's default is "restart on any exit". With launchd's conditional KeepAlive, `process.exit(0)` was the ONE exit code that guaranteed the bot stayed down.
+
+**Fix**: Plist template now uses `<key>KeepAlive</key><true/>` — unconditional restart on any exit. Matches pm2's default behavior. `ThrottleInterval` dropped from 10s to 5s so recovery is quicker.
+
+**Migration for existing installs**: re-run `alvin-bot launchd install` to get the new plist. The install script unloads the old plist, writes the new one, and reloads it — existing data and running state are preserved.
+
+Also removed the stale "(PM2)" suffix from the `/restart` Telegram command description — it's just "Restart the bot" now, since the command works identically with both pm2 and launchd.
+
+## [4.8.5] — 2026-04-11
+
+### 🐛 `/update` now works for npm-global installs
+
+Caught on the test MacBook: `/update` reported *"Already up to date — no new commits"* even though npm had a newer version published. Root cause was two separate bugs feeding into each other.
+
+**Bug 1 — false git-repo detection**. `isGitRepo()` used `git rev-parse --is-inside-work-tree` which walks up the directory tree looking for any ancestor `.git` folder. On the test MacBook, `alvin-bot` was installed at `/opt/homebrew/lib/node_modules/alvin-bot/` which has no `.git` itself — but Homebrew stores its formula tree at `/opt/homebrew/` as a git repo. So `git rev-parse` walked up, found Homebrew's `.git`, and returned `true`. The updater then dutifully fetched Homebrew's upstream (which was up-to-date), found 0 new commits, and reported "Already up to date" — about the wrong repository.
+
+**Fix**: `isOwnGitRepo()` now does a strict check for `PROJECT_ROOT/.git` directly, no directory walk. False positives from ancestor git repos are impossible.
+
+**Bug 2 — no update path for npm-global installs**. Even with a correct `isGitRepo()` check, the updater would return *"Not in a git repo — update only supported for source installs."* for npm-global installs. That meant you could never update an npm-installed alvin-bot from within the bot itself.
+
+**Fix**: New `runNpmUpdate()` path that kicks in when `PROJECT_ROOT` looks like a `node_modules/alvin-bot` install (covers Homebrew node, plain npm, nvm, volta). It:
+
+1. Reads the local version from `package.json`
+2. Queries `npm view alvin-bot version` for the latest published version
+3. Compares via a tiny semver compare
+4. If newer: runs `npm install -g alvin-bot@latest --no-audit --no-fund` (5 minute timeout)
+5. Signals the caller to restart so the new code takes effect
+6. Detects `EACCES` and suggests `sudo` explicitly instead of a cryptic error
+
+Also improved the git path: falls back to `npm install` + `npm run build` when `pnpm-lock.yaml` doesn't exist (previously hard-coded pnpm).
+
+After 4.8.5, `/update` on the test MacBook will correctly detect the npm install, see that v4.8.4 is the latest, fetch it, and restart. No more false-positive "up to date" when a newer release is out.
+
 ## [4.8.4] — 2026-04-11
 
 ### 🐛 WhatsApp self-chat detection for the new `@lid` identity format

package/bin/cli.js

@@ -1461,15 +1461,10 @@ function renderLaunchdPlist({ label, nodePath, entryPoint, cwd, home, logDir })
     <true/>
 
     <key>KeepAlive</key>
-    <dict>
-        <key>SuccessfulExit</key>
-        <false/>
-        <key>Crashed</key>
-        <true/>
-    </dict>
+    <true/>
 
     <key>ThrottleInterval</key>
-    <integer>10</integer>
+    <integer>5</integer>
 
     <key>StandardOutPath</key>
     <string>${logDir}/alvin-bot.out.log</string>

package/dist/handlers/commands.js

@@ -156,7 +156,7 @@ export function registerCommands(bot) {
         { command: "webui", description: "Open Web UI in browser" },
         { command: "setup", description: "Configure API keys & platforms" },
         { command: "cancel", description: "Cancel running request" },
-        { command: "restart", description: "Restart the bot (PM2)" },
+        { command: "restart", description: "Restart the bot" },
         { command: "update", description: "Pull latest, build, restart" },
         { command: "autoupdate", description: "Auto-update on|off|status" },
     ]).catch(err => console.error("Failed to set bot commands:", err));

package/dist/services/updater.js

@@ -25,83 +25,179 @@ const DATA_DIR = process.env.ALVIN_DATA_DIR || resolve(os.homedir(), ".alvin-bot
 const FLAG_FILE = resolve(DATA_DIR, "auto-update.flag");
 const AUTO_CHECK_INTERVAL_MS = 6 * 60 * 60 * 1000; // 6 hours
 let autoTimer = null;
-async function isGitRepo() {
+/**
+ * Is PROJECT_ROOT itself a git repository? We deliberately do NOT use
+ * `git rev-parse --is-inside-work-tree` because that walks UP the
+ * directory tree and would return true for any ancestor that happens
+ * to be a git repo — e.g. Homebrew stores its formula tree in a git
+ * repo at /opt/homebrew/, so a npm-global install of alvin-bot under
+ * /opt/homebrew/lib/node_modules/alvin-bot would be reported as a git
+ * repo even though it's just plain files shipped via npm.
+ *
+ * The strict check: does PROJECT_ROOT/.git exist?
+ */
+function isOwnGitRepo() {
+    return fs.existsSync(resolve(PROJECT_ROOT, ".git"));
+}
+/**
+ * Heuristic for "this is an npm-global install": PROJECT_ROOT sits
+ * inside a node_modules/alvin-bot directory. Covers:
+ *   - /opt/homebrew/lib/node_modules/alvin-bot (Homebrew node)
+ *   - /usr/local/lib/node_modules/alvin-bot (plain npm)
+ *   - ~/.nvm/versions/node/...alvin-bot (nvm)
+ *   - ~/.volta/tools/image/packages/...alvin-bot (volta)
+ */
+function isNpmGlobalInstall() {
+    return /node_modules[/\\]alvin-bot$/.test(PROJECT_ROOT) || PROJECT_ROOT.includes("node_modules/alvin-bot/");
+}
+function readLocalVersion() {
     try {
-        const { stdout } = await execAsync("git rev-parse --is-inside-work-tree", {
-            cwd: PROJECT_ROOT,
-            timeout: 5_000,
+        const pkgPath = resolve(PROJECT_ROOT, "package.json");
+        const raw = fs.readFileSync(pkgPath, "utf-8");
+        const parsed = JSON.parse(raw);
+        return parsed.version ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+async function fetchRemoteVersion() {
+    try {
+        const { stdout } = await execAsync("npm view alvin-bot version", {
+            timeout: 15_000,
         });
-        return stdout.trim() === "true";
+        return stdout.trim() || null;
     }
     catch {
-        return false;
+        return null;
+    }
+}
+/** Semver-compare A vs B. Returns negative if A < B, 0 if equal, positive if A > B. */
+function compareSemver(a, b) {
+    const norm = (v) => v.replace(/^v/, "").split(/[.-]/).map((p) => parseInt(p, 10) || 0);
+    const av = norm(a);
+    const bv = norm(b);
+    for (let i = 0; i < Math.max(av.length, bv.length); i++) {
+        const diff = (av[i] ?? 0) - (bv[i] ?? 0);
+        if (diff !== 0)
+            return diff;
     }
+    return 0;
 }
 /** Pull latest changes, install deps, rebuild. Returns a structured result
- * instead of throwing so the /update command can report cleanly to Telegram. */
+ *  instead of throwing so the /update command can report cleanly to Telegram.
+ *  Dispatches to the git path for source installs and the npm path for
+ *  npm-global installs. */
 export async function runUpdate() {
     try {
-        const isRepo = await isGitRepo();
-        if (!isRepo) {
-            return {
-                ok: false,
-                message: "Not in a git repo — update only supported for source installs.",
-                requiresRestart: false,
-            };
-        }
-        // Fetch latest without merging
-        await execAsync("git fetch --quiet", {
-            cwd: PROJECT_ROOT,
-            timeout: 30_000,
-        });
-        // Count commits we're behind the upstream
-        let behindCount = 0;
-        try {
-            const { stdout } = await execAsync("git rev-list --count HEAD..@{upstream}", {
-                cwd: PROJECT_ROOT,
-                timeout: 10_000,
-            });
-            behindCount = parseInt(stdout.trim() || "0", 10);
-        }
-        catch {
-            // No upstream configured — treat as up-to-date
-            behindCount = 0;
+        if (isOwnGitRepo()) {
+            return await runGitUpdate();
         }
-        if (behindCount === 0) {
-            return {
-                ok: true,
-                message: "Already up to date — no new commits.",
-                requiresRestart: false,
-            };
+        if (isNpmGlobalInstall()) {
+            return await runNpmUpdate();
         }
-        // Fast-forward pull (refuses to merge if history diverged)
-        await execAsync("git pull --ff-only", {
-            cwd: PROJECT_ROOT,
-            timeout: 60_000,
-        });
-        // Install (frozen lockfile to match upstream exactly)
-        await execAsync("pnpm install --frozen-lockfile", {
-            cwd: PROJECT_ROOT,
-            timeout: 180_000,
-        });
-        // Build
-        await execAsync("pnpm run build", {
+        return {
+            ok: false,
+            message: "Update not supported for this install type. Clone the git repo or use npm install -g alvin-bot.",
+            requiresRestart: false,
+        };
+    }
+    catch (err) {
+        const raw = err instanceof Error ? err.message : String(err);
+        const message = raw.length > 300 ? raw.slice(0, 300) + "…" : raw;
+        return { ok: false, message, requiresRestart: false };
+    }
+}
+async function runGitUpdate() {
+    // Fetch latest without merging
+    await execAsync("git fetch --quiet", {
+        cwd: PROJECT_ROOT,
+        timeout: 30_000,
+    });
+    // Count commits we're behind the upstream
+    let behindCount = 0;
+    try {
+        const { stdout } = await execAsync("git rev-list --count HEAD..@{upstream}", {
             cwd: PROJECT_ROOT,
-            timeout: 180_000,
+            timeout: 10_000,
         });
+        behindCount = parseInt(stdout.trim() || "0", 10);
+    }
+    catch {
+        behindCount = 0;
+    }
+    if (behindCount === 0) {
+        return {
+            ok: true,
+            message: "Already up to date — no new commits.",
+            requiresRestart: false,
+        };
+    }
+    // Fast-forward pull
+    await execAsync("git pull --ff-only", {
+        cwd: PROJECT_ROOT,
+        timeout: 60_000,
+    });
+    // Prefer pnpm if the lockfile exists, otherwise fall back to npm
+    const hasPnpmLock = fs.existsSync(resolve(PROJECT_ROOT, "pnpm-lock.yaml"));
+    const installCmd = hasPnpmLock ? "pnpm install --frozen-lockfile" : "npm install --no-audit --no-fund";
+    const buildCmd = hasPnpmLock ? "pnpm run build" : "npm run build";
+    await execAsync(installCmd, { cwd: PROJECT_ROOT, timeout: 180_000 });
+    await execAsync(buildCmd, { cwd: PROJECT_ROOT, timeout: 180_000 });
+    return {
+        ok: true,
+        message: `Installed ${behindCount} commit(s), build successful.`,
+        requiresRestart: true,
+    };
+}
+async function runNpmUpdate() {
+    const current = readLocalVersion();
+    const latest = await fetchRemoteVersion();
+    if (!latest) {
+        return {
+            ok: false,
+            message: "Could not reach npm registry — check your internet connection.",
+            requiresRestart: false,
+        };
+    }
+    if (current && compareSemver(current, latest) >= 0) {
         return {
             ok: true,
-            message: `Installed ${behindCount} commit(s), build successful.`,
-            requiresRestart: true,
+            message: `Already up to date — v${current} is the latest published version.`,
+            requiresRestart: false,
         };
     }
+    // Newer version exists — install it globally. npm install -g writes to
+    // the globally-scoped node_modules directory (/opt/homebrew/lib/… on
+    // Homebrew, /usr/local/lib/… on plain npm). The running process still
+    // has the old code loaded in memory, so after install we signal the
+    // caller to restart.
+    try {
+        await execAsync("npm install -g alvin-bot@latest --no-audit --no-fund", {
+            timeout: 300_000, // 5 minutes for large installs
+        });
+    }
     catch (err) {
         const raw = err instanceof Error ? err.message : String(err);
-        // Keep error messages short — Telegram has a 4096 char limit and the
-        // user doesn't need a 50-line stack trace.
-        const message = raw.length > 300 ? raw.slice(0, 300) + "…" : raw;
-        return { ok: false, message, requiresRestart: false };
+        // Permission errors are the most common npm -g failure mode
+        if (/EACCES|permission denied/i.test(raw)) {
+            return {
+                ok: false,
+                message: `npm install -g failed with permissions. Try: sudo npm install -g alvin-bot@latest`,
+                requiresRestart: false,
+            };
+        }
+        return {
+            ok: false,
+            message: `npm install failed: ${raw.slice(0, 200)}`,
+            requiresRestart: false,
+        };
     }
+    return {
+        ok: true,
+        message: `Installed v${latest} (was v${current ?? "?"}). Restarting...`,
+        requiresRestart: true,
+    };
 }
 export function getAutoUpdate() {
     try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "alvin-bot",
-  "version": "4.8.4",
+  "version": "4.8.6",
   "description": "Alvin Bot — Your personal AI agent on Telegram, WhatsApp, Discord, Signal, and Web.",
   "type": "module",
   "main": "dist/index.js",