alvin-bot 4.8.9 → 4.9.0

package/dist/services/cron.js

@@ -13,6 +13,7 @@ import fs from "fs";
 import { execSync } from "child_process";
 import { dirname } from "path";
 import { CRON_FILE, BOT_ROOT } from "../paths.js";
+import { prepareForExecution, handleStartupCatchup, calculateNextRunFrom, } from "./cron-scheduling.js";
 // ── Storage ─────────────────────────────────────────────
 function loadJobs() {
     try {
@@ -240,6 +241,25 @@ const runningJobs = new Set(); // Guard against overlapping executions
 export function startScheduler() {
     if (schedulerTimer)
         return;
+    // Startup catch-up — nachholen runs whose last attempt crashed within
+    // the grace window. Must run BEFORE the first scheduler tick so the
+    // catch-up nextRunAt rewind is visible on the very next pass.
+    try {
+        const bootJobs = loadJobs();
+        const caught = handleStartupCatchup(bootJobs, Date.now());
+        // Only persist if something actually changed to avoid needless writes
+        const mutated = caught.some((j, i) => j.nextRunAt !== bootJobs[i].nextRunAt);
+        if (mutated) {
+            saveJobs(caught);
+            const names = caught
+                .filter((j, i) => j.nextRunAt !== bootJobs[i].nextRunAt)
+                .map((j) => j.name);
+            console.log(`⏰ Cron startup catch-up: rewound ${names.length} job(s): ${names.join(", ")}`);
+        }
+    }
+    catch (err) {
+        console.error("⏰ Cron startup catch-up failed:", err);
+    }
     // Check every 30 seconds for due jobs
     schedulerTimer = setInterval(async () => {
         const jobs = loadJobs();
@@ -248,7 +268,7 @@ export function startScheduler() {
         for (const job of jobs) {
             if (!job.enabled)
                 continue;
-            // Skip if this job is already running
+            // Skip if this job is already running in THIS bot instance
             if (runningJobs.has(job.id))
                 continue;
             // Calculate next run if not set
@@ -258,9 +278,13 @@ export function startScheduler() {
             }
             if (job.nextRunAt && now >= job.nextRunAt) {
                 console.log(`Cron: Running job "${job.name}" (${job.id})`);
-                // Mark as running + clear nextRunAt BEFORE async execution to prevent re-trigger
+                // Pre-execution state update: advance nextRunAt to the NEXT regular
+                // trigger (NOT null) and stamp lastAttemptAt. If the bot crashes
+                // mid-execution, handleStartupCatchup will notice the attempt
+                // without completion and nachholen within the grace window.
                 runningJobs.add(job.id);
-                job.nextRunAt = null;
+                const prepared = prepareForExecution(job, now);
+                Object.assign(job, prepared);
                 saveJobs(jobs);
                 try {
                     const result = await executeJob(job);
@@ -268,8 +292,8 @@ export function startScheduler() {
                     const freshJobs = loadJobs();
                     const freshJob = freshJobs.find(j => j.id === job.id);
                     if (freshJob) {
-                        freshJob.lastRunAt = now;
-                        freshJob.lastResult = result.output.slice(0, 500);
+                        freshJob.lastRunAt = Date.now();
+                        freshJob.lastResult = result.output.slice(0, 4000);
                         freshJob.lastError = result.error || null;
                         freshJob.runCount++;
                         if (freshJob.oneShot) {
@@ -277,7 +301,9 @@ export function startScheduler() {
                             freshJob.nextRunAt = null;
                         }
                         else {
-                            freshJob.nextRunAt = calculateNextRun(freshJob);
+                            // nextRunAt already set pre-execution, but recalculate in case
+                            // the schedule or enabled state changed during execution.
+                            freshJob.nextRunAt = calculateNextRunFrom(freshJob, Date.now());
                         }
                         saveJobs(freshJobs);
                     }

package/dist/services/skills.js

@@ -21,6 +21,7 @@ import { resolve } from "path";
 import { SKILLS_DIR } from "../paths.js";
 import { USER_SKILLS_DIR } from "../paths.js";
 import { loadAssetIndex } from "./asset-index.js";
+import { debounce } from "../util/debounce.js";
 // ── Skill Registry ──────────────────────────────────────
 let cachedSkills = [];
 let lastScanAt = 0;
@@ -143,23 +144,26 @@ function reloadAllSkills() {
  */
 export function loadSkills() {
     reloadAllSkills();
-    // Hot-reload watchers
+    // Hot-reload watchers — macOS FSEvents delivers many duplicate events
+    // for a single logical change, so we coalesce bursts into one reload.
+    const bundledReload = debounce(() => {
+        console.log("Skills changed (bundled) \u2014 reloading");
+        reloadAllSkills();
+    }, 300);
+    const userReload = debounce(() => {
+        console.log("Skills changed (user) \u2014 reloading");
+        reloadAllSkills();
+    }, 300);
     try {
-        watch(SKILLS_DIR, { recursive: true }, () => {
-            console.log("Skills changed (bundled) \u2014 reloading");
-            reloadAllSkills();
-        });
+        watch(SKILLS_DIR, { recursive: true }, () => bundledReload());
     }
-    catch { }
+    catch { /* ignore — watcher failures fall back to manual reload */ }
     try {
         if (existsSync(USER_SKILLS_DIR)) {
-            watch(USER_SKILLS_DIR, { recursive: true }, () => {
-                console.log("Skills changed (user) \u2014 reloading");
-                reloadAllSkills();
-            });
+            watch(USER_SKILLS_DIR, { recursive: true }, () => userReload());
         }
     }
-    catch { }
+    catch { /* ignore */ }
     return cachedSkills;
 }
 /**

package/dist/services/subagent-delivery.js

@@ -47,11 +47,17 @@ function statusIcon(status) {
     }
 }
 function buildBanner(info, result) {
-    const icon = statusIcon(result.status);
+    // A "completed" run that produced zero output is almost always a
+    // silent failure — a truncated stream, a tool-only final turn, a
+    // provider that swallowed its response. Call that out explicitly so
+    // the user sees a clear signal instead of a green tick on nothing.
+    const truncated = result.status === "completed" && (!result.output || result.output.trim().length === 0);
+    const icon = truncated ? "⚠️" : statusIcon(result.status);
+    const statusLabel = truncated ? "completed · empty output" : result.status;
     const dur = formatDuration(result.duration);
     const ti = formatTokens(result.tokensUsed.input);
     const to = formatTokens(result.tokensUsed.output);
-    return `${icon} *${info.name}* ${result.status} · ${dur} · ${ti} in / ${to} out`;
+    return `${icon} *${info.name}* ${statusLabel} · ${dur} · ${ti} in / ${to} out`;
 }
 // ── A4 Live-Stream ──────────────────────────────────────────
 /**

package/dist/services/subagents.js

@@ -231,6 +231,13 @@ async function runSubAgent(id, agentConfig, abort, resolvedName) {
             console.error(`[subagent ${id}] live-stream init failed:`, err);
         }
     }
+    // These live OUTSIDE the try block so the catch handler can read
+    // whatever was buffered before the stream failed. Moving them into
+    // the try scope was the cause of the "output: ''" regression.
+    let finalText = "";
+    let inputTokens = 0;
+    let outputTokens = 0;
+    let streamError = null;
     try {
         const { getRegistry } = await import("../engine.js");
         const registry = getRegistry();
@@ -243,9 +250,6 @@ async function runSubAgent(id, agentConfig, abort, resolvedName) {
             ? agentConfig.workingDir || os.homedir()
             : os.homedir();
         const systemPrompt = `You are a sub-agent named "${resolvedName}". Complete the following task autonomously and report your results clearly when done. Working directory: ${effectiveCwd}`;
-        let finalText = "";
-        let inputTokens = 0;
-        let outputTokens = 0;
         for await (const chunk of registry.queryWithFallback({
             prompt: agentConfig.prompt,
             systemPrompt,
@@ -254,16 +258,33 @@ async function runSubAgent(id, agentConfig, abort, resolvedName) {
             abortSignal: abort.signal,
         })) {
             if (chunk.type === "text") {
-                finalText = chunk.text || "";
-                // A4: push text updates into the throttled live-stream
+                // Both SDK providers emit `text` as the accumulated string.
+                // Keep the last non-empty one we've seen so a final tool-only
+                // turn doesn't wipe our buffer.
+                if (chunk.text && chunk.text.length > 0) {
+                    finalText = chunk.text;
+                }
                 if (liveStream && !liveStream.failed) {
                     liveStream.update(finalText);
                 }
             }
             if (chunk.type === "done") {
+                // done.text is the authoritative final accumulated text from
+                // the provider. Prefer it over the buffered value so runs that
+                // end on a tool_use don't leave us with a pre-tool snippet.
+                if (chunk.text && chunk.text.length > 0) {
+                    finalText = chunk.text;
+                }
                 inputTokens = chunk.inputTokens || 0;
                 outputTokens = chunk.outputTokens || 0;
             }
+            if (chunk.type === "error") {
+                // Providers surface mid-stream errors as an `error` chunk
+                // instead of throwing. Capture the reason so the post-loop
+                // status resolution below can distinguish this from a clean
+                // finish, and keep whatever text we already buffered.
+                streamError = chunk.error || "stream error";
+            }
         }
         // If cancelAllSubAgents has already taken over (shutdown path), don't
         // overwrite the cancelled result it synthesised. Also: if the generator
@@ -285,6 +306,21 @@ async function runSubAgent(id, agentConfig, abort, resolvedName) {
             };
             entry.info.status = "cancelled";
         }
+        else if (streamError) {
+            // Provider emitted an error chunk but the generator ended cleanly —
+            // record it as an error, but preserve the text buffered before the
+            // failure so the caller sees useful partial output instead of "".
+            entry.result = {
+                id,
+                name: resolvedName,
+                status: "error",
+                output: finalText,
+                tokensUsed: { input: inputTokens, output: outputTokens },
+                duration: Date.now() - startTime,
+                error: streamError,
+            };
+            entry.info.status = "error";
+        }
         else {
             entry.result = {
                 id,
@@ -312,6 +348,9 @@ async function runSubAgent(id, agentConfig, abort, resolvedName) {
         }
     }
     catch (err) {
+        // If cancelAllSubAgents already set a cancelled result, keep it.
+        if (entry.result && entry.result.status === "cancelled")
+            return;
         const isAbort = err instanceof Error && err.message.includes("abort");
         const isTimeout = abort.signal.aborted;
         const status = isTimeout
@@ -322,11 +361,13 @@ async function runSubAgent(id, agentConfig, abort, resolvedName) {
         entry.result = {
             id,
             name: resolvedName,
-            status,
-            output: "",
-            tokensUsed: { input: 0, output: 0 },
+            // Preserve whatever text was buffered before the failure.
+            // Empty output here used to throw away multi-minute runs.
+            output: finalText,
+            tokensUsed: { input: inputTokens, output: outputTokens },
             duration: Date.now() - startTime,
             error: err instanceof Error ? err.message : String(err),
+            status,
         };
         entry.info.status = status;
     }

package/dist/services/telegram.js

@@ -1,5 +1,6 @@
 import { config } from "../config.js";
 import { sanitizeTelegramMarkdown } from "./markdown.js";
+import { isHarmlessTelegramError } from "../util/telegram-error-filter.js";
 export class TelegramStreamer {
     messageId = null;
     chatId;
@@ -94,9 +95,17 @@ export class TelegramStreamer {
         // If text fits in one message, just update the existing one
         if (safeText.length <= config.telegramMaxLength && this.messageId) {
             if (safeText !== this.lastSentText) {
-                await this.api.editMessageText(this.chatId, this.messageId, safeText, {
-                    parse_mode: "Markdown",
-                }).catch(() => this.api.editMessageText(this.chatId, this.messageId, safeText));
+                try {
+                    await this.api.editMessageText(this.chatId, this.messageId, safeText, {
+                        parse_mode: "Markdown",
+                    }).catch(() => this.api.editMessageText(this.chatId, this.messageId, safeText));
+                }
+                catch (err) {
+                    // Drop "message is not modified" / "message to edit not found"
+                    // races silently — they're harmless and always race-based.
+                    if (!isHarmlessTelegramError(err))
+                        throw err;
+                }
             }
             return;
         }

package/dist/services/watchdog-brake.js

@@ -0,0 +1,113 @@
+/**
+ * Pure crash-loop brake logic, extracted from watchdog.ts so it can be
+ * unit-tested without touching the filesystem or launchctl.
+ *
+ * See test/watchdog-brake.test.ts for the regression this closes:
+ * chronic crashes with >5 min of uptime between them used to reset
+ * the counter before it could trip the brake, so the bot cycled
+ * indefinitely. The new policy enforces TWO thresholds — a fast
+ * short-window brake and a hard 24h daily cap — and only resets the
+ * counter after a real 1 h of clean uptime.
+ */
+export const DEFAULTS = {
+    /** Beacon older than this → previous process exited cleanly (or the
+     *  machine was rebooted); do not count as a crash. */
+    STALE_BEACON_MS: 90_000,
+    /** Short-window crash tracking — N crashes in SHORT_WINDOW_MS. */
+    SHORT_WINDOW_MS: 10 * 60_000,
+    SHORT_BRAKE_THRESHOLD: 10,
+    /** Daily crash cap — hard ceiling regardless of gaps. Tripping this
+     *  means the bot has been restarting >20 times per day, which is
+     *  almost certainly a chronic issue worth freezing and alerting. */
+    DAILY_WINDOW_MS: 24 * 60 * 60 * 1000,
+    DAILY_BRAKE_THRESHOLD: 20,
+    /** Uptime required before the short-window counter resets. Was 5 min
+     *  in the buggy version — but 5 min is shorter than the typical
+     *  sub-agent lifetime (the daily job-alert takes 10+ min), so chronic
+     *  crashes with ≥5 min gaps sailed right past the brake. 1 h is safer. */
+    RESET_AFTER_MS: 60 * 60_000,
+};
+/**
+ * Given the previous beacon (or null on first boot) and the current time,
+ * decide whether the bot should proceed with boot or engage the crash-loop
+ * brake.
+ *
+ * PURE: no fs, no launchctl, no clock — `now` is an explicit parameter.
+ */
+export function decideBrakeAction(previous, now, opts = {}) {
+    const staleMs = opts.staleBeaconMs ?? DEFAULTS.STALE_BEACON_MS;
+    const shortWindow = opts.shortWindowMs ?? DEFAULTS.SHORT_WINDOW_MS;
+    const shortBrake = opts.shortBrakeThreshold ?? DEFAULTS.SHORT_BRAKE_THRESHOLD;
+    const dailyWindow = opts.dailyWindowMs ?? DEFAULTS.DAILY_WINDOW_MS;
+    const dailyBrake = opts.dailyBrakeThreshold ?? DEFAULTS.DAILY_BRAKE_THRESHOLD;
+    // First boot or no beacon file → clean start
+    if (!previous) {
+        return {
+            action: "proceed",
+            crashCount: 0,
+            crashWindowStart: now,
+            dailyCrashCount: 0,
+            dailyCrashWindowStart: now,
+        };
+    }
+    // Daily window roll-over first — it's independent of short window.
+    let dailyCount = previous.dailyCrashCount;
+    let dailyStart = previous.dailyCrashWindowStart;
+    if (now - dailyStart >= dailyWindow) {
+        dailyCount = 0;
+        dailyStart = now;
+    }
+    const timeSinceLastBeat = now - previous.lastBeat;
+    const previousExitedRecently = timeSinceLastBeat < staleMs;
+    if (!previousExitedRecently) {
+        // Clean exit (or machine reboot between runs) → short-window counter
+        // resets, but the daily counter keeps going unless its own window
+        // already expired above.
+        return {
+            action: "proceed",
+            crashCount: 0,
+            crashWindowStart: now,
+            dailyCrashCount: dailyCount,
+            dailyCrashWindowStart: dailyStart,
+        };
+    }
+    // Short-window logic
+    const shortWindowExpired = now - previous.crashWindowStart >= shortWindow;
+    let crashCount;
+    let crashWindowStart;
+    if (shortWindowExpired) {
+        crashCount = 1;
+        crashWindowStart = now;
+    }
+    else {
+        crashCount = previous.crashCount + 1;
+        crashWindowStart = previous.crashWindowStart;
+    }
+    // Increment daily count since we treat this as a crash
+    dailyCount += 1;
+    if (crashCount >= shortBrake) {
+        return {
+            action: "brake",
+            reason: `${crashCount} crashes within short window (${Math.round(shortWindow / 60_000)}min) — threshold is ${shortBrake}`,
+        };
+    }
+    if (dailyCount >= dailyBrake) {
+        return {
+            action: "brake",
+            reason: `${dailyCount} crashes within daily window (${Math.round(dailyWindow / 3_600_000)}h) — threshold is ${dailyBrake}`,
+        };
+    }
+    return {
+        action: "proceed",
+        crashCount,
+        crashWindowStart,
+        dailyCrashCount: dailyCount,
+        dailyCrashWindowStart: dailyStart,
+    };
+}
+/** Whether the short-window crash counter should be reset after this
+ *  much clean uptime. Default: 1 h. */
+export function shouldResetCrashCounter(uptimeMs, opts = {}) {
+    const threshold = opts.resetAfterMs ?? DEFAULTS.RESET_AFTER_MS;
+    return uptimeMs >= threshold;
+}

package/dist/services/watchdog.js

@@ -27,15 +27,13 @@ import { resolve } from "path";
 import os from "os";
 import { execSync } from "child_process";
 import { BOT_VERSION } from "../version.js";
+import { decideBrakeAction, shouldResetCrashCounter, DEFAULTS, } from "./watchdog-brake.js";
 const DATA_DIR = process.env.ALVIN_DATA_DIR || resolve(os.homedir(), ".alvin-bot");
 const STATE_DIR = resolve(DATA_DIR, "state");
 const BEACON_FILE = resolve(STATE_DIR, "watchdog.json");
 const ALERT_FILE = resolve(STATE_DIR, "crash-loop.alert");
 const BEACON_INTERVAL_MS = 30_000; // write a beacon every 30 s
-const CRASH_WINDOW_MS = 10 * 60 * 1000; // 10 min — crashes within this count toward the brake
-const CRASH_BRAKE_THRESHOLD = 10; // after this many crashes in the window, brake
-const STALE_BEACON_MS = 90_000; // a beacon older than this is considered "old enough that previous process really exited"
-const RECOVERY_UPTIME_MS = 5 * 60 * 1000; // 5 min of clean uptime resets the counter
+// Thresholds and windows live in watchdog-brake.ts DEFAULTS.
 let beaconTimer = null;
 let resetTimer = null;
 let bootTime = 0;
@@ -57,7 +55,21 @@ function readBeacon() {
             typeof parsed.crashCount === "number" &&
             typeof parsed.crashWindowStart === "number" &&
             typeof parsed.version === "string") {
-            return parsed;
+            // Older beacons don't have daily-counter fields — default them to
+            // 0/now so the brake logic treats this run as the start of the
+            // first daily window.
+            return {
+                lastBeat: parsed.lastBeat,
+                pid: parsed.pid,
+                bootTime: parsed.bootTime,
+                crashCount: parsed.crashCount,
+                crashWindowStart: parsed.crashWindowStart,
+                version: parsed.version,
+                dailyCrashCount: typeof parsed.dailyCrashCount === "number" ? parsed.dailyCrashCount : 0,
+                dailyCrashWindowStart: typeof parsed.dailyCrashWindowStart === "number"
+                    ? parsed.dailyCrashWindowStart
+                    : Date.now(),
+            };
         }
         return null;
     }
@@ -78,8 +90,9 @@ function writeAlert(reason, crashCount) {
         const content = [
             `Alvin Bot crash-loop brake hit at ${new Date().toISOString()}`,
             `Version: ${BOT_VERSION}`,
-            `Crashes in the last ${CRASH_WINDOW_MS / 60_000} minutes: ${crashCount}`,
-            `Threshold: ${CRASH_BRAKE_THRESHOLD}`,
+            `Crashes in the last ${DEFAULTS.SHORT_WINDOW_MS / 60_000} minutes: ${crashCount}`,
+            `Short-window threshold: ${DEFAULTS.SHORT_BRAKE_THRESHOLD}`,
+            `Daily threshold: ${DEFAULTS.DAILY_BRAKE_THRESHOLD}`,
             ``,
             `Reason: ${reason}`,
             ``,
@@ -147,36 +160,25 @@ export function startWatchdog() {
     ensureStateDir();
     bootTime = Date.now();
     const previous = readBeacon();
-    let crashCount = 0;
-    let crashWindowStart = bootTime;
+    const decision = decideBrakeAction(previous, bootTime);
+    if (decision.action === "brake") {
+        console.error(`[watchdog] crash-loop brake triggered: ${decision.reason}`);
+        writeAlert(decision.reason, previous?.crashCount ?? 0);
+        checkCrashLoopBrake();
+        // checkCrashLoopBrake calls process.exit — execution never reaches here.
+        return;
+    }
+    let crashCount = decision.crashCount;
+    let crashWindowStart = decision.crashWindowStart;
+    let dailyCrashCount = decision.dailyCrashCount;
+    let dailyCrashWindowStart = decision.dailyCrashWindowStart;
     if (previous) {
         const timeSinceLastBeat = bootTime - previous.lastBeat;
-        const inWindow = bootTime - previous.crashWindowStart < CRASH_WINDOW_MS;
-        if (timeSinceLastBeat < STALE_BEACON_MS) {
-            // Previous process exited very recently → that's a crash (or a
-            // graceful exit immediately followed by a restart, which we treat
-            // the same way for the brake — the goal is to detect rapid cycles).
-            if (inWindow) {
-                crashCount = previous.crashCount + 1;
-                crashWindowStart = previous.crashWindowStart;
-            }
-            else {
-                // Previous crash was outside the window → reset counter
-                crashCount = 1;
-            }
-            console.log(`[watchdog] detected restart after ${Math.round(timeSinceLastBeat / 1000)}s — crash ${crashCount}/${CRASH_BRAKE_THRESHOLD} in current ${CRASH_WINDOW_MS / 60_000}min window`);
-            if (crashCount >= CRASH_BRAKE_THRESHOLD) {
-                console.error(`[watchdog] crash-loop brake triggered (${crashCount} crashes in ${CRASH_WINDOW_MS / 60_000}min)`);
-                writeAlert(`Process restarted ${crashCount} times within ${CRASH_WINDOW_MS / 60_000} minutes. Last beacon was ${Math.round(timeSinceLastBeat / 1000)}s ago. Most likely a deterministic crash on startup.`, crashCount);
-                // Re-use the brake check to unload + exit cleanly
-                checkCrashLoopBrake();
-            }
-        }
-        else {
-            // Previous beacon was old → process had clean uptime before exit,
-            // OR system was rebooted between runs. Reset crash count.
-            crashCount = 0;
-            crashWindowStart = bootTime;
+        if (timeSinceLastBeat < DEFAULTS.STALE_BEACON_MS) {
+            console.log(`[watchdog] detected restart after ${Math.round(timeSinceLastBeat / 1000)}s — ` +
+                `crash ${crashCount}/${DEFAULTS.SHORT_BRAKE_THRESHOLD} in current ` +
+                `${DEFAULTS.SHORT_WINDOW_MS / 60_000}min window, ` +
+                `${dailyCrashCount}/${DEFAULTS.DAILY_BRAKE_THRESHOLD} in current 24h window`);
         }
     }
     // Write the first beacon immediately so a fresh restart updates the file
@@ -186,6 +188,8 @@ export function startWatchdog() {
         bootTime,
         crashCount,
         crashWindowStart,
+        dailyCrashCount,
+        dailyCrashWindowStart,
         version: BOT_VERSION,
     });
     // Periodic beacon writer
@@ -196,15 +200,20 @@ export function startWatchdog() {
             bootTime,
             crashCount,
             crashWindowStart,
+            dailyCrashCount,
+            dailyCrashWindowStart,
             version: BOT_VERSION,
         });
     }, BEACON_INTERVAL_MS);
-    // Schedule a recovery counter reset after RECOVERY_UPTIME_MS of clean
-    // uptime. If we make it that far without dying, the bot is healthy
-    // again and we shouldn't penalize a future single crash.
+    // Schedule a recovery counter reset after RESET_AFTER_MS (1 h by default)
+    // of clean uptime. The old policy was 5 min — too short because chronic
+    // crashes often had 5-10 min gaps and never tripped the brake.
     resetTimer = setTimeout(() => {
-        if (crashCount > 0) {
-            console.log(`[watchdog] ${RECOVERY_UPTIME_MS / 60_000}min clean uptime — resetting crash counter from ${crashCount} to 0`);
+        const uptime = Date.now() - bootTime;
+        if (shouldResetCrashCounter(uptime) && crashCount > 0) {
+            console.log(`[watchdog] ${Math.round(uptime / 60_000)}min clean uptime — ` +
+                `resetting short-window crash counter from ${crashCount} to 0 ` +
+                `(daily counter ${dailyCrashCount} stays)`);
             crashCount = 0;
             crashWindowStart = Date.now();
             writeBeacon({
@@ -213,11 +222,16 @@ export function startWatchdog() {
                 bootTime,
                 crashCount,
                 crashWindowStart,
+                dailyCrashCount,
+                dailyCrashWindowStart,
                 version: BOT_VERSION,
             });
         }
-    }, RECOVERY_UPTIME_MS);
-    console.log(`[watchdog] started — beacon every ${BEACON_INTERVAL_MS / 1000}s, brake at ${CRASH_BRAKE_THRESHOLD} crashes per ${CRASH_WINDOW_MS / 60_000}min, recovery after ${RECOVERY_UPTIME_MS / 60_000}min uptime`);
+    }, DEFAULTS.RESET_AFTER_MS);
+    console.log(`[watchdog] started — beacon every ${BEACON_INTERVAL_MS / 1000}s, ` +
+        `brake at ${DEFAULTS.SHORT_BRAKE_THRESHOLD} crashes / ${DEFAULTS.SHORT_WINDOW_MS / 60_000}min ` +
+        `or ${DEFAULTS.DAILY_BRAKE_THRESHOLD} / 24h, ` +
+        `recovery after ${DEFAULTS.RESET_AFTER_MS / 60_000}min uptime`);
 }
 /**
  * Stop the watchdog cleanly. Called from the shutdown handler in

package/dist/util/console-formatter.js

@@ -0,0 +1,109 @@
+/**
+ * Console formatter — adds ISO timestamps to every console.log /
+ * console.warn / console.error call, and drops high-volume noise
+ * (libsignal session dumps, Claude CLI native-binary banner).
+ *
+ * Installed once at bootstrap time from src/index.ts. Idempotent.
+ *
+ * Why not pino / winston: those pull in several MB of deps and change
+ * the call-site ergonomics. Every caller in the bot today uses plain
+ * `console.log`; monkey-patching those is a 40-line change instead of
+ * a refactor of every file.
+ */
+import util from "node:util";
+let snapshot = null;
+/**
+ * Noise patterns from production logs that fill out.log/err.log with
+ * tens of KB per day without carrying useful signal. Added sparingly —
+ * every entry here is a line a human will never need to grep for.
+ */
+const NOISE_PATTERNS = [
+    // libsignal session dump header — the multi-line body following this
+    // line is silenced by the first-line detector below.
+    /^Closing session: SessionEntry \{/,
+    // libsignal prekey bundle swap notification
+    /^Closing open session in favor of incoming prekey bundle/,
+    // Claude CLI startup banner — spammed once per query
+    /^\[claude\] Native binary: /,
+    // libsignal Bad MAC — session desync, harmless, repeats endlessly
+    /^Session error:Error: Bad MAC Error: Bad MAC/,
+];
+/** Exported for testing. */
+export function isNoisyLine(line) {
+    return NOISE_PATTERNS.some((re) => re.test(line));
+}
+/**
+ * Track whether we're currently inside a libsignal multi-line dump. The
+ * dumps look like `Closing session: SessionEntry {` followed by several
+ * lines of buffer hex, closing with `}`. We swallow everything from the
+ * opening brace to its matching `}` line.
+ */
+let suppressDepth = 0;
+function shouldSuppress(raw) {
+    const line = raw.trimEnd();
+    if (suppressDepth > 0) {
+        // Inside a multi-line dump — count braces on this line. The dumps
+        // only contain ASCII braces in the structural positions, so this
+        // is safe enough for production noise.
+        const opens = (line.match(/\{/g) || []).length;
+        const closes = (line.match(/\}/g) || []).length;
+        suppressDepth += opens;
+        suppressDepth -= closes;
+        if (suppressDepth < 0)
+            suppressDepth = 0;
+        return true;
+    }
+    if (isNoisyLine(line)) {
+        // If the noisy header opens a block, start suppressing its body.
+        const opens = (line.match(/\{/g) || []).length;
+        const closes = (line.match(/\}/g) || []).length;
+        suppressDepth = Math.max(0, opens - closes);
+        return true;
+    }
+    return false;
+}
+function formatWithTimestamp(method, stream) {
+    return (...args) => {
+        // Render args the same way console does — util.format handles %s / %d / objects.
+        const text = renderArgs(args);
+        if (shouldSuppress(text))
+            return;
+        const stamp = new Date().toISOString();
+        // Write directly to the stream so we don't recurse through console.
+        stream.write(`${stamp} ${text}\n`);
+        void method; // keep original ref alive for uninstall
+    };
+}
+function renderArgs(args) {
+    // Use Node's built-in util.format — it matches console.* exactly.
+    return util.format(...args);
+}
+/**
+ * Install timestamp + noise-filter formatters on console.log/warn/info/error.
+ * Safe to call multiple times.
+ */
+export function installConsoleFormatter() {
+    if (snapshot)
+        return; // already installed
+    snapshot = {
+        log: console.log.bind(console),
+        warn: console.warn.bind(console),
+        error: console.error.bind(console),
+        info: console.info.bind(console),
+    };
+    console.log = formatWithTimestamp(snapshot.log, process.stdout);
+    console.info = formatWithTimestamp(snapshot.info, process.stdout);
+    console.warn = formatWithTimestamp(snapshot.warn, process.stderr);
+    console.error = formatWithTimestamp(snapshot.error, process.stderr);
+}
+/** Restore the original console methods. Used by tests + shutdown. */
+export function uninstallConsoleFormatter() {
+    if (!snapshot)
+        return;
+    console.log = snapshot.log;
+    console.info = snapshot.info;
+    console.warn = snapshot.warn;
+    console.error = snapshot.error;
+    snapshot = null;
+    suppressDepth = 0;
+}