alvin-bot 4.8.8 → 4.9.0

package/dist/services/watchdog.js

@@ -27,15 +27,13 @@ import { resolve } from "path";
 import os from "os";
 import { execSync } from "child_process";
 import { BOT_VERSION } from "../version.js";
+import { decideBrakeAction, shouldResetCrashCounter, DEFAULTS, } from "./watchdog-brake.js";
 const DATA_DIR = process.env.ALVIN_DATA_DIR || resolve(os.homedir(), ".alvin-bot");
 const STATE_DIR = resolve(DATA_DIR, "state");
 const BEACON_FILE = resolve(STATE_DIR, "watchdog.json");
 const ALERT_FILE = resolve(STATE_DIR, "crash-loop.alert");
 const BEACON_INTERVAL_MS = 30_000; // write a beacon every 30 s
-const CRASH_WINDOW_MS = 10 * 60 * 1000; // 10 min — crashes within this count toward the brake
-const CRASH_BRAKE_THRESHOLD = 10; // after this many crashes in the window, brake
-const STALE_BEACON_MS = 90_000; // a beacon older than this is considered "old enough that previous process really exited"
-const RECOVERY_UPTIME_MS = 5 * 60 * 1000; // 5 min of clean uptime resets the counter
+// Thresholds and windows live in watchdog-brake.ts DEFAULTS.
 let beaconTimer = null;
 let resetTimer = null;
 let bootTime = 0;
@@ -57,7 +55,21 @@ function readBeacon() {
             typeof parsed.crashCount === "number" &&
             typeof parsed.crashWindowStart === "number" &&
             typeof parsed.version === "string") {
-            return parsed;
+            // Older beacons don't have daily-counter fields — default them to
+            // 0/now so the brake logic treats this run as the start of the
+            // first daily window.
+            return {
+                lastBeat: parsed.lastBeat,
+                pid: parsed.pid,
+                bootTime: parsed.bootTime,
+                crashCount: parsed.crashCount,
+                crashWindowStart: parsed.crashWindowStart,
+                version: parsed.version,
+                dailyCrashCount: typeof parsed.dailyCrashCount === "number" ? parsed.dailyCrashCount : 0,
+                dailyCrashWindowStart: typeof parsed.dailyCrashWindowStart === "number"
+                    ? parsed.dailyCrashWindowStart
+                    : Date.now(),
+            };
         }
         return null;
     }
@@ -78,8 +90,9 @@ function writeAlert(reason, crashCount) {
         const content = [
             `Alvin Bot crash-loop brake hit at ${new Date().toISOString()}`,
             `Version: ${BOT_VERSION}`,
-            `Crashes in the last ${CRASH_WINDOW_MS / 60_000} minutes: ${crashCount}`,
-            `Threshold: ${CRASH_BRAKE_THRESHOLD}`,
+            `Crashes in the last ${DEFAULTS.SHORT_WINDOW_MS / 60_000} minutes: ${crashCount}`,
+            `Short-window threshold: ${DEFAULTS.SHORT_BRAKE_THRESHOLD}`,
+            `Daily threshold: ${DEFAULTS.DAILY_BRAKE_THRESHOLD}`,
             ``,
             `Reason: ${reason}`,
             ``,
@@ -147,36 +160,25 @@ export function startWatchdog() {
     ensureStateDir();
     bootTime = Date.now();
     const previous = readBeacon();
-    let crashCount = 0;
-    let crashWindowStart = bootTime;
+    const decision = decideBrakeAction(previous, bootTime);
+    if (decision.action === "brake") {
+        console.error(`[watchdog] crash-loop brake triggered: ${decision.reason}`);
+        writeAlert(decision.reason, previous?.crashCount ?? 0);
+        checkCrashLoopBrake();
+        // checkCrashLoopBrake calls process.exit — execution never reaches here.
+        return;
+    }
+    let crashCount = decision.crashCount;
+    let crashWindowStart = decision.crashWindowStart;
+    let dailyCrashCount = decision.dailyCrashCount;
+    let dailyCrashWindowStart = decision.dailyCrashWindowStart;
     if (previous) {
         const timeSinceLastBeat = bootTime - previous.lastBeat;
-        const inWindow = bootTime - previous.crashWindowStart < CRASH_WINDOW_MS;
-        if (timeSinceLastBeat < STALE_BEACON_MS) {
-            // Previous process exited very recently → that's a crash (or a
-            // graceful exit immediately followed by a restart, which we treat
-            // the same way for the brake — the goal is to detect rapid cycles).
-            if (inWindow) {
-                crashCount = previous.crashCount + 1;
-                crashWindowStart = previous.crashWindowStart;
-            }
-            else {
-                // Previous crash was outside the window → reset counter
-                crashCount = 1;
-            }
-            console.log(`[watchdog] detected restart after ${Math.round(timeSinceLastBeat / 1000)}s — crash ${crashCount}/${CRASH_BRAKE_THRESHOLD} in current ${CRASH_WINDOW_MS / 60_000}min window`);
-            if (crashCount >= CRASH_BRAKE_THRESHOLD) {
-                console.error(`[watchdog] crash-loop brake triggered (${crashCount} crashes in ${CRASH_WINDOW_MS / 60_000}min)`);
-                writeAlert(`Process restarted ${crashCount} times within ${CRASH_WINDOW_MS / 60_000} minutes. Last beacon was ${Math.round(timeSinceLastBeat / 1000)}s ago. Most likely a deterministic crash on startup.`, crashCount);
-                // Re-use the brake check to unload + exit cleanly
-                checkCrashLoopBrake();
-            }
-        }
-        else {
-            // Previous beacon was old → process had clean uptime before exit,
-            // OR system was rebooted between runs. Reset crash count.
-            crashCount = 0;
-            crashWindowStart = bootTime;
+        if (timeSinceLastBeat < DEFAULTS.STALE_BEACON_MS) {
+            console.log(`[watchdog] detected restart after ${Math.round(timeSinceLastBeat / 1000)}s — ` +
+                `crash ${crashCount}/${DEFAULTS.SHORT_BRAKE_THRESHOLD} in current ` +
+                `${DEFAULTS.SHORT_WINDOW_MS / 60_000}min window, ` +
+                `${dailyCrashCount}/${DEFAULTS.DAILY_BRAKE_THRESHOLD} in current 24h window`);
         }
     }
     // Write the first beacon immediately so a fresh restart updates the file
@@ -186,6 +188,8 @@ export function startWatchdog() {
         bootTime,
         crashCount,
         crashWindowStart,
+        dailyCrashCount,
+        dailyCrashWindowStart,
         version: BOT_VERSION,
     });
     // Periodic beacon writer
@@ -196,15 +200,20 @@ export function startWatchdog() {
             bootTime,
             crashCount,
             crashWindowStart,
+            dailyCrashCount,
+            dailyCrashWindowStart,
             version: BOT_VERSION,
         });
     }, BEACON_INTERVAL_MS);
-    // Schedule a recovery counter reset after RECOVERY_UPTIME_MS of clean
-    // uptime. If we make it that far without dying, the bot is healthy
-    // again and we shouldn't penalize a future single crash.
+    // Schedule a recovery counter reset after RESET_AFTER_MS (1 h by default)
+    // of clean uptime. The old policy was 5 min — too short because chronic
+    // crashes often had 5-10 min gaps and never tripped the brake.
     resetTimer = setTimeout(() => {
-        if (crashCount > 0) {
-            console.log(`[watchdog] ${RECOVERY_UPTIME_MS / 60_000}min clean uptime — resetting crash counter from ${crashCount} to 0`);
+        const uptime = Date.now() - bootTime;
+        if (shouldResetCrashCounter(uptime) && crashCount > 0) {
+            console.log(`[watchdog] ${Math.round(uptime / 60_000)}min clean uptime — ` +
+                `resetting short-window crash counter from ${crashCount} to 0 ` +
+                `(daily counter ${dailyCrashCount} stays)`);
             crashCount = 0;
             crashWindowStart = Date.now();
             writeBeacon({
@@ -213,11 +222,16 @@ export function startWatchdog() {
                 bootTime,
                 crashCount,
                 crashWindowStart,
+                dailyCrashCount,
+                dailyCrashWindowStart,
                 version: BOT_VERSION,
             });
         }
-    }, RECOVERY_UPTIME_MS);
-    console.log(`[watchdog] started — beacon every ${BEACON_INTERVAL_MS / 1000}s, brake at ${CRASH_BRAKE_THRESHOLD} crashes per ${CRASH_WINDOW_MS / 60_000}min, recovery after ${RECOVERY_UPTIME_MS / 60_000}min uptime`);
+    }, DEFAULTS.RESET_AFTER_MS);
+    console.log(`[watchdog] started — beacon every ${BEACON_INTERVAL_MS / 1000}s, ` +
+        `brake at ${DEFAULTS.SHORT_BRAKE_THRESHOLD} crashes / ${DEFAULTS.SHORT_WINDOW_MS / 60_000}min ` +
+        `or ${DEFAULTS.DAILY_BRAKE_THRESHOLD} / 24h, ` +
+        `recovery after ${DEFAULTS.RESET_AFTER_MS / 60_000}min uptime`);
 }
 /**
  * Stop the watchdog cleanly. Called from the shutdown handler in

package/dist/util/console-formatter.js

@@ -0,0 +1,109 @@
+/**
+ * Console formatter — adds ISO timestamps to every console.log /
+ * console.warn / console.error call, and drops high-volume noise
+ * (libsignal session dumps, Claude CLI native-binary banner).
+ *
+ * Installed once at bootstrap time from src/index.ts. Idempotent.
+ *
+ * Why not pino / winston: those pull in several MB of deps and change
+ * the call-site ergonomics. Every caller in the bot today uses plain
+ * `console.log`; monkey-patching those is a 40-line change instead of
+ * a refactor of every file.
+ */
+import util from "node:util";
+let snapshot = null;
+/**
+ * Noise patterns from production logs that fill out.log/err.log with
+ * tens of KB per day without carrying useful signal. Added sparingly —
+ * every entry here is a line a human will never need to grep for.
+ */
+const NOISE_PATTERNS = [
+    // libsignal session dump header — the multi-line body following this
+    // line is silenced by the first-line detector below.
+    /^Closing session: SessionEntry \{/,
+    // libsignal prekey bundle swap notification
+    /^Closing open session in favor of incoming prekey bundle/,
+    // Claude CLI startup banner — spammed once per query
+    /^\[claude\] Native binary: /,
+    // libsignal Bad MAC — session desync, harmless, repeats endlessly
+    /^Session error:Error: Bad MAC Error: Bad MAC/,
+];
+/** Exported for testing. */
+export function isNoisyLine(line) {
+    return NOISE_PATTERNS.some((re) => re.test(line));
+}
+/**
+ * Track whether we're currently inside a libsignal multi-line dump. The
+ * dumps look like `Closing session: SessionEntry {` followed by several
+ * lines of buffer hex, closing with `}`. We swallow everything from the
+ * opening brace to its matching `}` line.
+ */
+let suppressDepth = 0;
+function shouldSuppress(raw) {
+    const line = raw.trimEnd();
+    if (suppressDepth > 0) {
+        // Inside a multi-line dump — count braces on this line. The dumps
+        // only contain ASCII braces in the structural positions, so this
+        // is safe enough for production noise.
+        const opens = (line.match(/\{/g) || []).length;
+        const closes = (line.match(/\}/g) || []).length;
+        suppressDepth += opens;
+        suppressDepth -= closes;
+        if (suppressDepth < 0)
+            suppressDepth = 0;
+        return true;
+    }
+    if (isNoisyLine(line)) {
+        // If the noisy header opens a block, start suppressing its body.
+        const opens = (line.match(/\{/g) || []).length;
+        const closes = (line.match(/\}/g) || []).length;
+        suppressDepth = Math.max(0, opens - closes);
+        return true;
+    }
+    return false;
+}
+function formatWithTimestamp(method, stream) {
+    return (...args) => {
+        // Render args the same way console does — util.format handles %s / %d / objects.
+        const text = renderArgs(args);
+        if (shouldSuppress(text))
+            return;
+        const stamp = new Date().toISOString();
+        // Write directly to the stream so we don't recurse through console.
+        stream.write(`${stamp} ${text}\n`);
+        void method; // keep original ref alive for uninstall
+    };
+}
+function renderArgs(args) {
+    // Use Node's built-in util.format — it matches console.* exactly.
+    return util.format(...args);
+}
+/**
+ * Install timestamp + noise-filter formatters on console.log/warn/info/error.
+ * Safe to call multiple times.
+ */
+export function installConsoleFormatter() {
+    if (snapshot)
+        return; // already installed
+    snapshot = {
+        log: console.log.bind(console),
+        warn: console.warn.bind(console),
+        error: console.error.bind(console),
+        info: console.info.bind(console),
+    };
+    console.log = formatWithTimestamp(snapshot.log, process.stdout);
+    console.info = formatWithTimestamp(snapshot.info, process.stdout);
+    console.warn = formatWithTimestamp(snapshot.warn, process.stderr);
+    console.error = formatWithTimestamp(snapshot.error, process.stderr);
+}
+/** Restore the original console methods. Used by tests + shutdown. */
+export function uninstallConsoleFormatter() {
+    if (!snapshot)
+        return;
+    console.log = snapshot.log;
+    console.info = snapshot.info;
+    console.warn = snapshot.warn;
+    console.error = snapshot.error;
+    snapshot = null;
+    suppressDepth = 0;
+}

package/dist/util/debounce.js

@@ -0,0 +1,24 @@
+/**
+ * Trailing-edge debounce. Delays `fn` until `waitMs` has elapsed since
+ * the most recent call. Coalesces bursts into a single invocation with
+ * the most recent arguments.
+ *
+ * Used by fs.watch consumers (skills, plugins) where macOS FSEvents
+ * delivers many duplicate events for a single logical change.
+ */
+export function debounce(fn, waitMs) {
+    let timer = null;
+    let lastArgs = null;
+    return function debounced(...args) {
+        lastArgs = args;
+        if (timer)
+            clearTimeout(timer);
+        timer = setTimeout(() => {
+            timer = null;
+            const call = lastArgs;
+            lastArgs = null;
+            if (call)
+                fn(...call);
+        }, waitMs);
+    };
+}

package/dist/util/telegram-error-filter.js

@@ -0,0 +1,62 @@
+/**
+ * Telegram error filter — single source of truth for "which grammy
+ * errors are harmless and should never reach the end user as a
+ * 'Fehler: ...' reply."
+ *
+ * Context: grammy's Bot API wrapper surfaces these as plain Error
+ * objects with the description baked into `.message`. Some call sites
+ * (live-stream edit races, callback-answer races after a modal was
+ * already dismissed, message-to-edit-gone races when the user just
+ * deleted the message) produce errors that are 100% benign — they
+ * just mean the UI state we were about to write is already there.
+ *
+ * This file centralises the list so we can update one regex and have
+ * the filter apply everywhere. Used by bot.catch(), by the streaming
+ * `telegram.ts` finalize path, by handlers/message.ts, and by any
+ * future caller that needs to decide "report this to the user or
+ * drop it silently."
+ */
+const HARMLESS_PATTERNS = [
+    // The big one — live-stream edit races
+    /message is not modified/i,
+    /specified new message content and reply markup are exactly the same/i,
+    // Callback-answer race: the user tapped a stale inline button
+    /query is too old and response timeout expired/i,
+    /query ID is invalid/i,
+    // The user deleted the message we were about to edit
+    /message to edit not found/i,
+    /message to delete not found/i,
+    /MESSAGE_ID_INVALID/i,
+];
+/**
+ * True if the error is one of the known-harmless Telegram races.
+ * Accepts Error objects, grammy's GrammyError (which has an additional
+ * `description` field), and plain strings. `null` / `undefined` return
+ * false so callers can use this directly in catch blocks.
+ */
+export function isHarmlessTelegramError(err) {
+    if (err === null || err === undefined)
+        return false;
+    let haystack = "";
+    if (typeof err === "string") {
+        haystack = err;
+    }
+    else if (err instanceof Error) {
+        haystack = err.message || "";
+        // grammy's GrammyError carries the server's reason on .description
+        const desc = err.description;
+        if (typeof desc === "string")
+            haystack += " " + desc;
+    }
+    else if (typeof err === "object") {
+        // Plain object — look for message/description fields
+        const obj = err;
+        if (typeof obj.message === "string")
+            haystack += obj.message;
+        if (typeof obj.description === "string")
+            haystack += " " + obj.description;
+    }
+    if (!haystack)
+        return false;
+    return HARMLESS_PATTERNS.some((re) => re.test(haystack));
+}

package/dist/web/server.js

@@ -31,6 +31,9 @@ import { BOT_ROOT, ENV_FILE, PUBLIC_DIR, MEMORY_DIR, MEMORY_FILE, SOUL_FILE, DAT
 import { broadcast } from "../services/broadcast.js";
 import { BOT_VERSION } from "../version.js";
 const WEB_PORT = parseInt(process.env.WEB_PORT || "3100");
+/** Module-scope reference to the WebSocket server so stopWebServer() can
+ *  tear it down together with the HTTP server. Set inside startWebServer(). */
+let wsServerRef = null;
 const WEB_PASSWORD = process.env.WEB_PASSWORD || "";
 /** The actual port the Web UI is running on (may differ from WEB_PORT if busy). */
 let actualWebPort = WEB_PORT;
@@ -1426,6 +1429,7 @@ export function startWebServer() {
         });
     });
     const wss = new WebSocketServer({ server });
+    wsServerRef = wss;
     handleWebSocket(wss);
     // Smart port: try WEB_PORT, increment if busy (up to +20)
     const MAX_TRIES = 20;
@@ -1449,6 +1453,58 @@ export function startWebServer() {
     tryListen(WEB_PORT);
     return server;
 }
+/**
+ * Gracefully stop the web server so the port is released.
+ *
+ * Why this exists: `shutdown()` in src/index.ts used to stop grammy and the
+ * scheduler but leave the HTTP server listening. macOS then held the
+ * listening socket in the socket table, so launchd's next boot of the bot
+ * hit `EADDRINUSE :::3100`, threw an Uncaught exception and crash-looped.
+ *
+ * What this does:
+ *   1. Force-close idle keep-alive sockets (otherwise close() hangs on them).
+ *   2. Force-close active open requests (long-poll clients, WebSocket
+ *      upgrades that never completed).
+ *   3. Tear down the WebSocket server so its own sockets don't linger.
+ *   4. Await `server.close()` so the listening socket is truly released
+ *      before the caller's shutdown continues.
+ *
+ * Safe to call multiple times; no-op when the server is already closed or
+ * never listened. Never throws.
+ */
+export async function stopWebServer(server) {
+    try {
+        if (wsServerRef) {
+            for (const client of wsServerRef.clients) {
+                try {
+                    client.terminate();
+                }
+                catch { /* ignore */ }
+            }
+            await new Promise((resolve) => wsServerRef.close(() => resolve()));
+            wsServerRef = null;
+        }
+    }
+    catch { /* ignore */ }
+    if (!server.listening)
+        return;
+    try {
+        // Node 18.2+ APIs — break any keep-alive / long-poll stalls so
+        // server.close() can actually resolve.
+        const s = server;
+        if (typeof s.closeIdleConnections === "function")
+            s.closeIdleConnections();
+        if (typeof s.closeAllConnections === "function")
+            s.closeAllConnections();
+    }
+    catch { /* ignore */ }
+    await new Promise((resolve) => {
+        // close() callback fires with an Error arg when the server wasn't
+        // listening — we just resolve in either case. The caller only cares
+        // that the port is free when this awaits.
+        server.close(() => resolve());
+    });
+}
 /** Get the actual port the Web UI is running on. */
 export function getWebPort() {
     return actualWebPort;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "alvin-bot",
-  "version": "4.8.8",
+  "version": "4.9.0",
   "description": "Alvin Bot — Your personal AI agent on Telegram, WhatsApp, Discord, Signal, and Web.",
   "type": "module",
   "main": "dist/index.js",