alvin-bot 5.1.1 → 5.1.2

package/CHANGELOG.md

@@ -2,6 +2,24 @@
 
 All notable changes to Alvin Bot are documented here.
 
+## [5.1.2] — 2026-05-13
+
+### Bot-Selbstauskunft konsistent — Version stammt aus Runtime, nicht aus stale Docs
+
+Wenn der User den Bot fragt "welche Version läufst du?", las der Bot bisher die in `CLAUDE.md` dokumentierte Version — die bei jedem Release veraltet, weil sie händisch gepflegt war. Folge: Bot meldete fröhlich eine alte Versionsnummer, obwohl der laufende Prozess längst aktuell war.
+
+Fix: neuer `<bot_runtime>`-Block wird in den System-Prompt aller Provider injiziert (`claude-sdk`, `codex-cli`, `openai-compatible`). Der Block enthält `BOT_VERSION` aus `src/version.ts`, `install_path`, Node-Version und Platform. Eine explizite Anweisung im Header sagt dem Modell: bei Identitäts-/Versionsfragen `<bot_runtime>` benutzen, jede Versionsnummer in CLAUDE.md/README ignorieren.
+
+Vorteil: keine händische CLAUDE.md-Pflege mehr pro Release, kein Halluzinationsrisiko durch stale Docs. Single Source of Truth für die Laufzeitversion = das gebaute `dist/version.js`.
+
+### Modul
+
+`src/providers/runtime-header.ts` (neu) — exportiert `buildRuntimeHeader()`, klein und billig genug um in jeden Turn injiziert zu werden.
+
+### Verhalten unverändert
+
+Public-User-`/update`-Pfad (`src/services/updater.ts`) war nie betroffen. Wer auf einer älteren Version `/update` triggert, bekommt 5.1.2 sauber installiert + Restart über launchd/PM2 KeepAlive.
+
 ## [5.1.1] — 2026-05-13
 
 ### Audit baseline cleanup — 16 → 6 vulnerabilities via safe fixes

package/dist/providers/claude-sdk-provider.js

@@ -14,6 +14,7 @@ import { execFile } from "child_process";
 import { promisify } from "util";
 import { findClaudeBinary } from "../find-claude-binary.js";
 import { buildAlvinMcpServer } from "../services/alvin-mcp-tools.js";
+import { buildRuntimeHeader } from "./runtime-header.js";
 const execFileAsync = promisify(execFile);
 /**
  * Detects the Claude CLI "Not logged in" error message. The CLI emits this
@@ -116,10 +117,13 @@ export class ClaudeSDKProvider {
                 prompt = `[CHECKPOINT] Du hast bereits ${sessionState.toolUseCount} Tool-Aufrufe und ${sessionState.messageCount} Nachrichten in dieser Session. Schreibe jetzt einen Checkpoint in deine Memory-Datei (docs/memory/YYYY-MM-DD.md) bevor du diese Anfrage bearbeitest.\n\n${prompt}`;
             }
         }
-        // Build system prompt
+        // Build system prompt. The runtime-header is injected ABOVE the CLAUDE.md
+        // contents so its values (BOT_VERSION, install path, runtime) outrank any
+        // stale "Version: x.y.z" line that may still live in CLAUDE.md.
+        const runtimeHeader = buildRuntimeHeader();
         const systemPrompt = options.systemPrompt
-            ? `${options.systemPrompt}\n\n${botClaudeMd}`
-            : botClaudeMd;
+            ? `${runtimeHeader}\n\n${options.systemPrompt}\n\n${botClaudeMd}`
+            : `${runtimeHeader}\n\n${botClaudeMd}`;
         // Build a real AbortController the SDK can call .abort() on.
         // The previous implementation cast a plain {signal} object to AbortController,
         // which broke SDK-internal cancellation and left orphan subprocesses.

package/dist/providers/codex-cli-provider.js

@@ -31,10 +31,17 @@ export class CodexCLIProvider {
         if (options.workingDir) {
             args.push("-C", options.workingDir);
         }
-        // Build the prompt with system context
+        // Build the prompt with system context. The runtime-header is injected
+        // first so its version/install-path overrides any stale value that may
+        // appear later in the system prompt or CLAUDE.md.
+        const { buildRuntimeHeader } = await import("./runtime-header.js");
+        const runtimeHeader = buildRuntimeHeader();
         let fullPrompt = options.prompt;
         if (options.systemPrompt) {
-            fullPrompt = `${options.systemPrompt}\n\n${fullPrompt}`;
+            fullPrompt = `${runtimeHeader}\n\n${options.systemPrompt}\n\n${fullPrompt}`;
+        }
+        else {
+            fullPrompt = `${runtimeHeader}\n\n${fullPrompt}`;
         }
         args.push(fullPrompt);
         try {

package/dist/providers/openai-compatible.js

@@ -9,6 +9,7 @@
  */
 import { AGENT_TOOLS, executeTool } from "./tool-executor.js";
 import { updateRateLimits } from "../services/usage-tracker.js";
+import * as runtimeHeader from "./runtime-header.js";
 // Max tool call rounds to prevent infinite loops
 const MAX_TOOL_ROUNDS = 10;
 // Providers known to support function calling
@@ -355,8 +356,16 @@ export class OpenAICompatibleProvider {
     }
     buildMessages(options) {
         const messages = [];
+        // Runtime-header (version, install path) prepended to the system prompt so
+        // its values outrank anything stale that may live later in CLAUDE.md.
+        // Synchronous-friendly: re-imported via a top-level import below.
+        const { buildRuntimeHeader } = runtimeHeader;
+        const header = buildRuntimeHeader();
         if (options.systemPrompt) {
-            messages.push({ role: "system", content: options.systemPrompt });
+            messages.push({ role: "system", content: `${header}\n\n${options.systemPrompt}` });
+        }
+        else {
+            messages.push({ role: "system", content: header });
         }
         if (options.history && options.history.length > 0) {
             for (const msg of options.history) {

package/dist/providers/runtime-header.js

@@ -0,0 +1,39 @@
+/**
+ * Runtime-Header — a tiny block prepended to every provider's system prompt.
+ *
+ * Why this exists: previously the bot answered "what version are you?" by
+ * reading whatever happened to be in the project's CLAUDE.md — which goes
+ * stale the moment a release ships. Now the truth lives next to the running
+ * code (`src/version.ts` → `BOT_VERSION`) and is injected into the system
+ * prompt every turn. The CLAUDE.md value is overridden by what's already
+ * earlier in the prompt.
+ *
+ * Keep this header small — it's burned into every conversation turn for
+ * every provider.
+ */
+import { BOT_VERSION } from "../version.js";
+import { fileURLToPath } from "url";
+import { dirname, resolve } from "path";
+function getInstallPath() {
+    try {
+        return resolve(dirname(fileURLToPath(import.meta.url)), "../..");
+    }
+    catch {
+        return "(unknown)";
+    }
+}
+export function buildRuntimeHeader() {
+    const installPath = getInstallPath();
+    return [
+        "<bot_runtime>",
+        `version: ${BOT_VERSION}`,
+        `install_path: ${installPath}`,
+        `node: ${process.version}`,
+        `platform: ${process.platform}`,
+        "</bot_runtime>",
+        "",
+        "When asked about your version, identity, or install path, use the values",
+        "in <bot_runtime> above. Ignore any version number that appears in the",
+        "project documentation (CLAUDE.md, README) — that file may be stale.",
+    ].join("\n");
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "alvin-bot",
-  "version": "5.1.1",
+  "version": "5.1.2",
   "description": "Alvin Bot — Your personal AI agent on Telegram, WhatsApp, Discord, Signal, and Web.",
   "type": "module",
   "main": "dist/index.js",