alvin-bot 5.1.5 → 5.1.7

package/CHANGELOG.md

@@ -2,6 +2,46 @@
 
 All notable changes to Alvin Bot are documented here.
 
+## [5.1.7] — 2026-05-17
+
+### Scheduled jobs no longer run twice after a restart
+
+If two bot instances were briefly alive at the same time — for example
+right after an auto-update or a restart, while the old process was still
+shutting down — a scheduled job could fire twice within the same minute.
+One real case: a weekly report job sent its email, then sent an empty
+duplicate 30 seconds later. The old overlap guard only worked inside a
+single process, so a second instance never saw the first one's claim.
+
+Jobs are now claimed with a small cross-process lock before they run, so
+only one instance can execute a given job for a given slot. A crashed
+run can't wedge the lock — it is reclaimed automatically once the owning
+process is gone. Manual `/cron run` honours the same lock. No
+configuration changes; existing jobs just stop double-firing.
+
+## [5.1.6] — 2026-05-15
+
+### Planned restarts really stop counting as crashes now
+
+v5.1.5 added a flag that marks self-updates and `/update` / `/restart`
+as intentional so they don't inflate the crash counter. Half of it
+didn't actually work: the code that reads the saved state back on the
+next boot rebuilt it field by field and silently dropped that very
+flag, so the crash detector never saw it and planned restarts were
+still scored as crashes. (The other half of v5.1.5 — not counting
+benign log lines as errors — was unaffected and has been working.)
+
+This release makes the read path preserve the flag, so a planned
+restart is now genuinely treated as a clean exit. The state-parsing
+logic was pulled into a tested pure function so the read-back round
+trip can't silently regress like this again.
+
+### What this means for you
+
+If you updated to 5.1.5 and still saw the crash count tick up by one
+each time the bot updated itself, that stops now. The error-trend
+half of the 5.1.5 fix already worked; this completes the crash half.
+
 ## [5.1.5] — 2026-05-15
 
 ### Health monitor no longer cries wolf about its own log lines

package/dist/services/cron.js

@@ -11,7 +11,7 @@
  */
 import fs from "fs";
 import { execSync } from "child_process";
-import { dirname } from "path";
+import { resolve, dirname } from "path";
 import { CRON_FILE, BOT_ROOT } from "../paths.js";
 import { prepareForExecution, handleStartupCatchup, calculateNextRunFrom, } from "./cron-scheduling.js";
 import { resolveJobByNameOrId } from "./cron-resolver.js";
@@ -256,6 +256,85 @@ async function executeJob(job) {
 // ── Scheduler Loop ──────────────────────────────────────
 let schedulerTimer = null;
 const runningJobs = new Set(); // Guard against overlapping executions
+// ── Cross-process job lock ──────────────────────────────
+//
+// `runningJobs` only guards overlap WITHIN this process. If two bot
+// instances are briefly alive at once (a launchd/pm2 restart that left
+// the old process running, or startup-catchup racing the normal tick),
+// each has its own in-memory Set and the same job can fire twice —
+// observed in the wild: a weekly job mailed its report, then mailed an
+// empty duplicate 30 s later. This atomic `mkdir` lock makes the claim
+// cross-process: the second instance sees the lock and skips the slot
+// instead of double-firing. Stale locks (owning PID gone, or — when the
+// meta is unreadable — older than the catch-up grace) are reclaimed so a
+// crash can never wedge a job forever. No deps, cross-platform.
+const CRON_LOCK_DIR = resolve(dirname(CRON_FILE), ".cron-locks");
+const CRON_LOCK_MAX_AGE_MS = 6 * 60 * 60 * 1000; // backstop for corrupt meta
+function cronLockPath(jobId) {
+    return resolve(CRON_LOCK_DIR, `${jobId.replace(/[^A-Za-z0-9_-]/g, "_")}.lock`);
+}
+function acquireJobLock(jobId) {
+    const lock = cronLockPath(jobId);
+    const writeMeta = () => {
+        try {
+            fs.writeFileSync(resolve(lock, "meta"), JSON.stringify({ pid: process.pid, at: Date.now() }));
+        }
+        catch { /* meta is best-effort */ }
+    };
+    try {
+        fs.mkdirSync(CRON_LOCK_DIR, { recursive: true });
+    }
+    catch { /* ignore */ }
+    try {
+        fs.mkdirSync(lock); // atomic: throws EEXIST if another instance holds it
+        writeMeta();
+        return true;
+    }
+    catch {
+        let stale = false;
+        try {
+            const meta = JSON.parse(fs.readFileSync(resolve(lock, "meta"), "utf-8"));
+            if (typeof meta.pid === "number") {
+                try {
+                    process.kill(meta.pid, 0); // same-host liveness probe (no signal sent)
+                }
+                catch (e) {
+                    if (e.code === "ESRCH")
+                        stale = true; // owner gone
+                }
+            }
+            else {
+                stale = true; // no usable pid recorded
+            }
+        }
+        catch {
+            // meta missing/corrupt → fall back to lock-dir age
+            try {
+                stale = Date.now() - fs.statSync(lock).mtimeMs > CRON_LOCK_MAX_AGE_MS;
+            }
+            catch {
+                stale = false; // can't stat → treat as held (skip rather than double-fire)
+            }
+        }
+        if (!stale)
+            return false;
+        try {
+            fs.rmSync(lock, { recursive: true, force: true });
+            fs.mkdirSync(lock);
+            writeMeta();
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+function releaseJobLock(jobId) {
+    try {
+        fs.rmSync(cronLockPath(jobId), { recursive: true, force: true });
+    }
+    catch { /* ignore */ }
+}
 export function startScheduler() {
     if (schedulerTimer)
         return;
@@ -301,6 +380,13 @@ export function startScheduler() {
                 // mid-execution, handleStartupCatchup will notice the attempt
                 // without completion and nachholen within the grace window.
                 runningJobs.add(job.id);
+                // Cross-process claim: if another bot instance already owns this
+                // slot, skip instead of double-firing (the duplicate-report bug).
+                if (!acquireJobLock(job.id)) {
+                    runningJobs.delete(job.id);
+                    console.log(`Cron: job "${job.name}" (${job.id}) already claimed by another instance — skipping to avoid double-fire`);
+                    continue;
+                }
                 const prepared = prepareForExecution(job, now);
                 Object.assign(job, prepared);
                 saveJobs(jobs);
@@ -328,6 +414,7 @@ export function startScheduler() {
                 }
                 finally {
                     runningJobs.delete(job.id);
+                    releaseJobLock(job.id);
                 }
                 continue; // Skip the outer changed/save since we save inside
             }
@@ -422,6 +509,11 @@ export async function runJobNow(nameOrId) {
         return { status: "already-running", job };
     }
     runningJobs.add(job.id);
+    // Cross-process: another bot instance may already be running this job.
+    if (!acquireJobLock(job.id)) {
+        runningJobs.delete(job.id);
+        return { status: "already-running", job };
+    }
     try {
         // executeJob catches its own errors and returns { output, error }.
         // The inner try/catch here is a defensive belt against future
@@ -460,6 +552,7 @@ export async function runJobNow(nameOrId) {
     }
     finally {
         runningJobs.delete(job.id);
+        releaseJobLock(job.id);
     }
 }
 /**

package/dist/services/watchdog-brake.js

@@ -27,6 +27,45 @@ export const DEFAULTS = {
      *  crashes with ≥5 min gaps sailed right past the brake. 1 h is safer. */
     RESET_AFTER_MS: 60 * 60_000,
 };
+/**
+ * Validate + normalize a parsed beacon JSON into a BeaconData (or null
+ * if the core fields are missing/wrong-typed). Pure so the read-path
+ * field mapping is unit-testable — extracted after v5.1.5 shipped a
+ * broken expectedRestart: the old readBeacon() rebuilt the object
+ * field-by-field and silently dropped expectedRestart, so the flag
+ * never reached decideBrakeAction and intentional restarts were still
+ * counted as crashes. Whatever round-trips here is what the brake sees.
+ */
+export function normalizeBeacon(parsed) {
+    if (!parsed)
+        return null;
+    if (typeof parsed.lastBeat === "number" &&
+        typeof parsed.pid === "number" &&
+        typeof parsed.bootTime === "number" &&
+        typeof parsed.crashCount === "number" &&
+        typeof parsed.crashWindowStart === "number" &&
+        typeof parsed.version === "string") {
+        return {
+            lastBeat: parsed.lastBeat,
+            pid: parsed.pid,
+            bootTime: parsed.bootTime,
+            crashCount: parsed.crashCount,
+            crashWindowStart: parsed.crashWindowStart,
+            version: parsed.version,
+            // Older beacons don't have daily-counter fields — default them to
+            // 0/now so the brake logic treats this run as the start of the
+            // first daily window.
+            dailyCrashCount: typeof parsed.dailyCrashCount === "number" ? parsed.dailyCrashCount : 0,
+            dailyCrashWindowStart: typeof parsed.dailyCrashWindowStart === "number"
+                ? parsed.dailyCrashWindowStart
+                : Date.now(),
+            // The whole point of the v5.1.6 fix: propagate expectedRestart so
+            // a planned restart is not scored as a crash on the next boot.
+            expectedRestart: parsed.expectedRestart === true,
+        };
+    }
+    return null;
+}
 /**
  * Given the previous beacon (or null on first boot) and the current time,
  * decide whether the bot should proceed with boot or engage the crash-loop

package/dist/services/watchdog.js

@@ -29,7 +29,7 @@ import { execSync } from "child_process";
 import { BOT_VERSION } from "../version.js";
 import { emitCritical } from "./critical-notify.js";
 import { writeDiagnosticBundle } from "./auto-diagnostic.js";
-import { decideBrakeAction, shouldResetCrashCounter, DEFAULTS, } from "./watchdog-brake.js";
+import { decideBrakeAction, shouldResetCrashCounter, normalizeBeacon, DEFAULTS, } from "./watchdog-brake.js";
 const DATA_DIR = process.env.ALVIN_DATA_DIR || resolve(os.homedir(), ".alvin-bot");
 const STATE_DIR = resolve(DATA_DIR, "state");
 const BEACON_FILE = resolve(STATE_DIR, "watchdog.json");
@@ -50,30 +50,7 @@ function ensureStateDir() {
 function readBeacon() {
     try {
         const raw = fs.readFileSync(BEACON_FILE, "utf-8");
-        const parsed = JSON.parse(raw);
-        if (typeof parsed.lastBeat === "number" &&
-            typeof parsed.pid === "number" &&
-            typeof parsed.bootTime === "number" &&
-            typeof parsed.crashCount === "number" &&
-            typeof parsed.crashWindowStart === "number" &&
-            typeof parsed.version === "string") {
-            // Older beacons don't have daily-counter fields — default them to
-            // 0/now so the brake logic treats this run as the start of the
-            // first daily window.
-            return {
-                lastBeat: parsed.lastBeat,
-                pid: parsed.pid,
-                bootTime: parsed.bootTime,
-                crashCount: parsed.crashCount,
-                crashWindowStart: parsed.crashWindowStart,
-                version: parsed.version,
-                dailyCrashCount: typeof parsed.dailyCrashCount === "number" ? parsed.dailyCrashCount : 0,
-                dailyCrashWindowStart: typeof parsed.dailyCrashWindowStart === "number"
-                    ? parsed.dailyCrashWindowStart
-                    : Date.now(),
-            };
-        }
-        return null;
+        return normalizeBeacon(JSON.parse(raw));
     }
     catch {
         return null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "alvin-bot",
-  "version": "5.1.5",
+  "version": "5.1.7",
   "description": "Alvin Bot — Your personal AI agent on Telegram, WhatsApp, Discord, Signal, and Web.",
   "type": "module",
   "main": "dist/index.js",