alvin-bot 4.8.8 → 4.9.0

package/CHANGELOG.md

@@ -2,6 +2,78 @@
 
 All notable changes to Alvin Bot are documented here.
 
+## [4.9.0] — 2026-04-11
+
+### 🛡 Stability batch: crash-loop eliminated, cron jobs restart-resistant, cleaner logs
+
+Production users reported a daily-job-alert that "kept crashing" — the cron job triggered at 08:00, died mid-execution, and the next scheduled run silently disappeared until the next day. Root cause was not a single bug but a chain of four: the HTTP Web UI never released its port on shutdown → `EADDRINUSE :::3100` uncaught crash-loop → the cron scheduler persisted `nextRunAt = null` pre-execution → restart rewrote it to "tomorrow 08:00" → the run was lost. In parallel, sub-agents that ended on a tool call reported "completed" with only the pre-tool text as output, and grammy's "message is not modified" races leaked into Telegram replies as `Fehler: Call to 'editMessageText' failed!`.
+
+This release closes the whole chain, adds the Tier 0 of the browser fallback, and installs timestamped logs so future forensics don't need timestamp-free grep archaeology.
+
+**Pure functions extracted for isolated testing** (36 new tests, 154 total):
+
+- `src/services/cron-scheduling.ts` — `prepareForExecution(job, now)` and `handleStartupCatchup(jobs, now, graceMs)`. The old scheduler set `nextRunAt = null` before `await executeJob(job)` and only recomputed after completion. A crash mid-execution left `nextRunAt = null`; the next boot recomputed it from the current time → always landed on tomorrow's trigger. Now `prepareForExecution` persists the NEXT regular trigger BEFORE running, and stamps `lastAttemptAt`. If `lastAttemptAt > lastRunAt` at boot and the attempt is ≤ 6 h old, `handleStartupCatchup` rewinds `nextRunAt` to `now` so the next tick picks it up. New `CronJob.lastAttemptAt` field (`number | null`).
+- `src/services/watchdog-brake.ts` — `decideBrakeAction(prev, now, opts)` and `shouldResetCrashCounter(uptimeMs, opts)`. The old brake reset `crashCount` after 5 minutes of clean uptime, which was shorter than the typical sub-agent lifetime — chronic crashes with 5–10 min gaps passed the brake indefinitely. New policy: **1 h clean uptime required for reset**, plus a hard **20 crashes / 24 h** daily cap alongside the existing 10 crashes / 10 min short-window cap. Both counters persist in the beacon.
+- `src/util/debounce.ts` — trailing-edge debounce for fs.watch coalescing.
+- `src/util/console-formatter.ts` — `installConsoleFormatter()`: monkey-patches `console.log/warn/info/error` to prefix every line with an ISO timestamp, and drops libsignal "Closing session" multi-line SessionEntry dumps + `[claude] Native binary` spam that were pushing tens of KB per day into `alvin-bot.out.log` / `alvin-bot.err.log`.
+- `src/util/telegram-error-filter.ts` — `isHarmlessTelegramError(err)`: single source of truth for benign grammy races (`message is not modified`, `query is too old`, `message to edit not found`, `MESSAGE_ID_INVALID`, …).
+- `src/services/browser-webfetch.ts` — `webfetchNavigate(url, opts)` + `parseTitle(html)` + `WebfetchFailed`: Tier 0 of the browser fallback chain. Plain `fetch()` instead of Playwright for static pages.
+- `src/platforms/whatsapp-auth-helpers.ts` — `makeResilientSaveCreds(authDir, inner)`: wraps baileys' `saveCreds` so an ENOENT from a vanished auth dir transparently recreates the directory and retries once.
+
+**Fixes wired into the existing modules:**
+
+- **`src/web/server.ts` — new `stopWebServer(server)`.** Closes WebSocket clients, calls `closeIdleConnections()` + `closeAllConnections()` (Node 18.2+) so long-poll clients can't stall the shutdown, then awaits `server.close()`. Called from `shutdown()` in `src/index.ts`. Before this fix, launchd restarted the bot → new process tried `server.listen(3100)` → `EADDRINUSE` → uncaught exception → exit → launchd again. Classic crash-loop. **This single fix stops the chain.**
+- **`src/services/cron.ts`** — scheduler rewired to call `prepareForExecution` pre-execution and `handleStartupCatchup` at boot. `lastResult` truncation bumped from 500 → 4000 chars so post-mortem is possible without running the job again.
+- **`src/services/watchdog.ts`** — beacon schema extended with `dailyCrashCount` + `dailyCrashWindowStart`; `startWatchdog` now delegates the brake decision to the pure `decideBrakeAction`. Recovery timer still fires, but only resets the counter if `shouldResetCrashCounter` agrees (≥ 1 h uptime).
+- **`src/services/subagents.ts`** — `runSubAgent` now reads `finalText` from the `done` chunk as the authoritative final output (was ignored before), preserves buffered text when the stream emits an `error` chunk, and — most importantly — keeps `finalText` when the catch handler fires (was `output: ""`, throwing away multi-minute runs). Variable scope moved outside the try block. New `error` status branch for mid-stream provider failures.
+- **`src/services/subagent-delivery.ts`** — `buildBanner` now renders `⚠️ completed · empty output` for the "successful run with zero text" case so truncated runs are immediately visible instead of hiding behind a green tick.
+- **`src/services/skills.ts`** — `fs.watch` callbacks wrapped in `debounce(…, 300)` so macOS FSEvents duplicates coalesce into one reload.
+- **`src/services/browser-manager.ts`** — new `webfetch` tier added as default for non-interactive tasks. `resolveStrategy` cascade is now `webfetch → hub-stealth → cdp → gateway → cli`. `navigate()` has an error-based fallback: if `webfetch` throws (403, 5xx, content-type mismatch), it transparently upgrades to `hub-stealth` then `cli` before giving up.
+- **`src/platforms/whatsapp.ts`** — `saveCreds` wrapped in `makeResilientSaveCreds` so a vanished auth dir self-heals instead of becoming an unhandled rejection.
+- **`src/handlers/message.ts`, `src/services/telegram.ts`, `src/index.ts` (bot.catch + streaming finalize)** — all three call sites that used to ship the raw grammy error to users now route through `isHarmlessTelegramError`. The `Fehler: Call to 'editMessageText' failed!` noise that 2-3 users per day were seeing is gone.
+
+**What is NOT changed:**
+
+- **Timeouts.** The v4.8.8 `defaultTimeoutMs = -1` (unlimited) behavior is preserved. Sub-agents and cron jobs can still run as long as they need.
+- **The cron job `payload.prompt`s.** Users' existing cron definitions keep working unchanged.
+- **The beacon file format back-compat.** Old beacons without the daily counters are read correctly; the new fields are seeded to 0/now on first boot.
+
+**How to verify after update:**
+
+1. `launchctl unload ~/Library/LaunchAgents/com.alvinbot.app.plist && launchctl load ~/Library/LaunchAgents/com.alvinbot.app.plist`
+2. Tail `~/.alvin-bot/logs/alvin-bot.out.log` — every line should now carry an ISO timestamp and libsignal SessionEntry dumps should be gone.
+3. Check `~/.alvin-bot/state/watchdog.json` — should contain `dailyCrashCount` / `dailyCrashWindowStart` within a minute.
+4. Send `/cron run Daily Job Alert` — subagent-delivery banner should render fully, `~/.alvin-bot/cron-jobs.json` should show `lastAttemptAt` and a post-execution `lastRunAt`.
+5. Trigger a deliberate edit race (double-tap an inline button quickly) — no `Fehler: Call to 'editMessageText' failed!` reply should land in the chat.
+
+## [4.8.9] — 2026-04-11
+
+### 🐛 Browser automation: dead `browse-server.cjs` path removed, 3-tier router now the source of truth
+
+The `browse` skill used to instruct the agent to start `node scripts/browse-server.cjs` on port 3800 for every browser task. That file was deleted in an earlier cleanup (see `20283c9` for the original 577-line version — now gone), but `skills/browse/SKILL.md` was never updated. Result: any browser-related user message on Telegram — or any cron job that hit the skill — got a system-prompt injection telling it to call a gateway that didn't exist, producing half-failed runs like the "Daily Job Alert" cron that couldn't load LinkedIn or StepStone.
+
+**What changed:**
+
+- **`skills/browse/SKILL.md` — full rewrite.** Now documents the hub 3-tier router at `~/.claude/hub/SCRIPTS/browser.sh`:
+  - **Tier 0** — WebFetch / `curl` for static pages and APIs
+  - **Tier 1** — `browser.sh stealth <url>` (Playwright + stealth plugin, headless, Cloudflare-masking)
+  - **Tier 2** — `browser.sh cdp {start|goto|shot|tabs|stop}` (real Chrome with persistent profile at `~/.claude/hub/BROWSER/profile/`, login cookies survive restarts)
+  - **Tier 3** — Claude-in-Chrome extension via MCP tools (interactive CLI only)
+  - Explicit escalation ladder (WebFetch → stealth → CDP → ask Ali to log in) and a `NIEMALS browse-server.cjs nutzen` anti-rule.
+  - Concrete working targets (StepStone ✅, Michael Page ✅, LinkedIn ✅ with login, Indeed ❌) so the agent knows what to try where.
+
+- **`src/services/browser-manager.ts` — hardened fallback chain.** The multi-strategy manager already had the right *shape* (`gateway → cdp → hub-stealth → cli`) but several ops silently broke or hung:
+  - **`gatewayRequest` now has a 15 s timeout** (`req.destroy` on elapse). Previously a hung gateway would wedge the caller forever.
+  - **CDP fallback for interactive ops.** `click`, `fill`, `type`, `press`, `scroll`, `evaluate`, `info`, and `getTree` used to hard-throw `"requires gateway"` when `browse-server.cjs` wasn't running. They now try the gateway first, then a short-lived `chromium.connectOverCDP()` via a new `withCdpPage()` helper that reuses Ali's live Chrome on port 9222. Refs are interpreted as CSS selectors when gateway is absent.
+  - **Explicit PNG extension** on auto-generated screenshot filenames (`shot_<ts>.png`) so Playwright's format inference is unambiguous.
+  - **Better error messages** — every "needs interactive" throw now includes the exact command to start CDP Chrome (`~/.claude/hub/SCRIPTS/browser.sh cdp start headless`).
+
+- **`src/paths.ts` — `HUB_BROWSER_SH` constant.** New absolute path to `~/.claude/hub/SCRIPTS/browser.sh` so the manager can shell out without hard-coding `os.homedir()` inline.
+
+**Why this matters:** `browser-manager.ts` is still not wired into any bot code path (it's future-proofing), so the production fix for user-interactive flows is `SKILL.md`. The manager hardening ensures that when it does eventually get wired into a sub-agent tool, it won't hang on missing gateways or lose all interactive capability when only CDP is available.
+
+**Testing:** Tier 1 stealth end-to-end against `stepstone.de/jobs/it-delivery-director` → 1.2 MB HTML, title parsed. Module-level integration test: `navigate('https://example.com')` via auto-selected hub-stealth → correct title/URL. `resolveStrategy('gateway')` → cascades to CDP with visible warning. `info()` via CDP fallback → returns live Chrome state without throwing. Skills reload picks up the new SKILL.md (5977 chars), `matchSkills("browse linkedin")` hits the browse skill, `buildSkillContext("open stepstone.de")` injects the 3-tier guidance block.
+
 ## [4.8.8] — 2026-04-11
 
 ### ✨ Unlimited sub-agent & cron timeouts (user-configurable)

package/dist/handlers/message.js

@@ -14,6 +14,7 @@ import { emit } from "../services/hooks.js";
 import { trackUsage } from "../services/usage-tracker.js";
 import { emitUserMessage as broadcastUserMessage, emitResponseStart as broadcastResponseStart, emitResponseDelta as broadcastResponseDelta, emitResponseDone as broadcastResponseDone, } from "../services/broadcast.js";
 import { t } from "../i18n.js";
+import { isHarmlessTelegramError } from "../util/telegram-error-filter.js";
 /**
  * Stuck-only timeout — NO absolute cap.
  *
@@ -367,7 +368,7 @@ export async function handleMessage(ctx) {
                     if (timedOut) {
                         await ctx.reply(t("bot.error.timeoutStuck", session.language, { min: STUCK_TIMEOUT_MINUTES }));
                     }
-                    else {
+                    else if (!isHarmlessTelegramError(chunk.error)) {
                         await ctx.reply(`${t("bot.error.prefix", session.language)} ${chunk.error}`);
                     }
                     break;
@@ -419,7 +420,9 @@ export async function handleMessage(ctx) {
         else if (errorMsg.includes("abort")) {
             await ctx.reply(t("bot.error.requestCancelled", lang));
         }
-        else {
+        else if (!isHarmlessTelegramError(err)) {
+            // Drop benign grammy races ("message is not modified", etc.)
+            // instead of surfacing them as "Fehler: ..." replies.
             await ctx.reply(`${t("bot.error.prefix", lang)} ${errorMsg}`);
         }
     }

package/dist/index.js

@@ -1,6 +1,12 @@
 // ── Bootstrap: ensure ~/.alvin-bot/ exists + migrate legacy data ────
 import { ensureDataDirs, seedDefaults } from "./init-data-dir.js";
 import { hasLegacyData, migrateFromLegacy } from "./migrate.js";
+import { installConsoleFormatter } from "./util/console-formatter.js";
+import { isHarmlessTelegramError } from "./util/telegram-error-filter.js";
+// 0. Install timestamp + noise-filter formatters on console.* so every
+//    line in out.log / err.log carries an ISO timestamp and libsignal's
+//    SessionEntry dumps stop burying the signal.
+installConsoleFormatter();
 // 1. Create directory structure (no files yet)
 ensureDataDirs();
 // 2. Migrate legacy data BEFORE seeding defaults (so real data wins over templates)
@@ -70,7 +76,7 @@ import { handleVideo } from "./handlers/video.js";
 import { initEngine } from "./engine.js";
 import { loadPlugins, registerPluginCommands, unloadPlugins } from "./services/plugins.js";
 import { initMCP, disconnectMCP, hasMCPConfig } from "./services/mcp.js";
-import { startWebServer } from "./web/server.js";
+import { startWebServer, stopWebServer } from "./web/server.js";
 import { startScheduler, stopScheduler, setNotifyCallback } from "./services/cron.js";
 import { startSessionCleanup, stopSessionCleanup } from "./services/session.js";
 import { processQueue, cleanupQueue, setSenders, enqueue } from "./services/delivery-queue.js";
@@ -220,16 +226,11 @@ if (hasTelegram) {
     bot.catch((err) => {
         const ctx = err.ctx;
         const e = err.error;
-        // Telegram's "message is not modified" (400) is harmless — it fires
-        // when a callback handler re-renders an inline keyboard / edited
-        // message with content that happens to match the current message
-        // exactly (e.g. double-tapped toggle button, identical list after
-        // re-render). Swallow it silently so it neither pollutes the logs
-        // nor bubbles up to the user as "internal error".
-        const msg = e instanceof Error ? e.message : String(e);
-        if (/message is not modified/i.test(msg) || /specified new message content.*exactly the same/i.test(msg)) {
+        // Swallow the well-known harmless grammy races (message is not
+        // modified, query too old, message to edit not found …) silently.
+        // See src/util/telegram-error-filter.ts for the exhaustive list.
+        if (isHarmlessTelegramError(e))
             return;
-        }
         console.error(`Error handling update ${ctx?.update?.update_id}:`, e);
         // Try to notify the user
         if (ctx?.chat?.id) {
@@ -260,6 +261,9 @@ const shutdown = async () => {
         clearInterval(queueCleanupInterval);
     if (bot)
         bot.stop();
+    // Release :3100 so the next launchd boot doesn't hit EADDRINUSE.
+    // Must happen before exit — see src/web/server.ts stopWebServer() comment.
+    await stopWebServer(webServer).catch((err) => console.warn("[shutdown] stopWebServer failed:", err));
     await unloadPlugins().catch(() => { });
     await disconnectMCP().catch(() => { });
     // Tear down any bot-managed local runners (Ollama, LM Studio, …) so VRAM

package/dist/paths.js

@@ -86,6 +86,8 @@ export const AGENTS_FILE = resolve(DATA_DIR, "AGENTS.md");
 export const HOOKS_DIR = resolve(DATA_DIR, "hooks");
 /** scripts/browse-server.cjs — HTTP gateway for persistent browser sessions */
 export const BROWSE_SERVER_SCRIPT = resolve(BOT_ROOT, "scripts", "browse-server.cjs");
+/** ~/.claude/hub/SCRIPTS/browser.sh — Hub 3-tier browser router (stealth, CDP, ext) */
+export const HUB_BROWSER_SH = resolve(os.homedir(), ".claude", "hub", "SCRIPTS", "browser.sh");
 /** data/exec-allowlist.json — User-defined exec allowlist */
 export const EXEC_ALLOWLIST_FILE = resolve(DATA_DIR, "exec-allowlist.json");
 /** assets/ — User asset files (CVs, cover letters, legal docs, photos) */

package/dist/platforms/whatsapp-auth-helpers.js

@@ -0,0 +1,53 @@
+/**
+ * WhatsApp auth helpers — tiny resilience wrappers around baileys'
+ * use-multi-file-auth-state output.
+ *
+ * Why this exists: baileys' `saveCreds` is called asynchronously from
+ * the `creds.update` socket event, long after the auth directory was
+ * created at init time. If anything wipes the directory between init
+ * and the first save — a crash mid-init, a manual rm -rf, a stale
+ * worker on a different code path — the write throws ENOENT and becomes
+ * an `unhandledRejection`, which node 15+ default-reports as a crash.
+ *
+ * This module keeps the wrapper separate from `whatsapp.ts` so it can
+ * be unit-tested without having to drag baileys into the test process.
+ */
+import fs from "fs";
+/**
+ * Wrap a baileys saveCreds so a missing auth directory is transparently
+ * recreated once and the save is retried. Any other error, and any
+ * second ENOENT in a row, surfaces unchanged.
+ */
+export function makeResilientSaveCreds(authDir, innerSaveCreds) {
+    return async function resilientSaveCreds() {
+        try {
+            await innerSaveCreds();
+            return;
+        }
+        catch (err) {
+            if (!isEnoent(err))
+                throw err;
+            // baileys-auth dir vanished between init and now — rebuild and retry once.
+            try {
+                fs.mkdirSync(authDir, { recursive: true });
+            }
+            catch {
+                // If mkdir itself fails, fall through to the retry — it will surface
+                // the real error below with its original stack.
+            }
+            await innerSaveCreds();
+        }
+    };
+}
+function isEnoent(err) {
+    if (!err || typeof err !== "object")
+        return false;
+    const code = err.code;
+    if (code === "ENOENT")
+        return true;
+    // Some baileys wrapper paths re-throw as a plain Error with a message
+    // like "ENOENT: no such file or directory, open '.../creds.json'" but
+    // without .code — match the message as a fallback.
+    const msg = err.message || "";
+    return /ENOENT/.test(msg);
+}

package/dist/platforms/whatsapp.js

@@ -19,6 +19,7 @@
 import fs from "fs";
 import { dirname, join } from "path";
 import { WHATSAPP_AUTH as AUTH_DIR, WA_GROUPS as GROUP_CONFIG_FILE, WA_MEDIA_DIR } from "../paths.js";
+import { makeResilientSaveCreds } from "./whatsapp-auth-helpers.js";
 function loadGroupConfig() {
     try {
         return JSON.parse(fs.readFileSync(GROUP_CONFIG_FILE, "utf-8"));
@@ -250,8 +251,11 @@ export class WhatsAppAdapter {
             generateHighQualityLinkPreview: false,
         });
         this.sock = sock;
-        // Save credentials on update
-        sock.ev.on("creds.update", saveCreds);
+        // Save credentials on update. Wrapped so a vanished auth dir (crash
+        // mid-init, manual cleanup, etc.) doesn't turn the next creds.update
+        // into an unhandled ENOENT rejection.
+        const resilientSaveCreds = makeResilientSaveCreds(authDir, saveCreds);
+        sock.ev.on("creds.update", resilientSaveCreds);
         // Connection state
         sock.ev.on("connection.update", (update) => {
             const { connection, lastDisconnect, qr } = update;