alvin-bot 5.3.0 → 5.5.0

package/dist/services/ssrf-guard.js

@@ -0,0 +1,162 @@
+/**
+ * SSRF Guard — rejects requests to private/internal network destinations.
+ *
+ * Blocks:
+ *   - Non-http(s) schemes (file://, ftp://, etc.)
+ *   - IPv4 loopback (127.0.0.0/8), link-local (169.254.0.0/16 — incl. cloud
+ *     metadata endpoint 169.254.169.254), RFC-1918 private ranges
+ *     (10/8, 172.16/12, 192.168/16), and the catch-all 0.0.0.0
+ *   - IPv6 loopback (::1), ULA (fc00::/7), link-local (fe80::/10)
+ *
+ * Opt-out: set ALLOW_PRIVATE_FETCH=1 to disable blocking (for local dev /
+ * self-hosted setups). Default = blocked.
+ *
+ * No new runtime dependencies — uses Node's built-in `dns` and `net` modules.
+ */
+import dns from "dns";
+import net from "net";
+export class SsrfBlockedError extends Error {
+    url;
+    constructor(url, reason) {
+        super(`SSRF blocked: ${reason} (url: ${url})`);
+        this.name = "SsrfBlockedError";
+        this.url = url;
+    }
+}
+/**
+ * Return true if the given IPv4 address string falls into a private/reserved
+ * range (RFC-1918, loopback, link-local, unspecified).
+ *
+ * Ranges blocked:
+ *   0.0.0.0/8        — "this" network
+ *   10.0.0.0/8       — RFC-1918 class A
+ *   127.0.0.0/8      — loopback
+ *   169.254.0.0/16   — link-local (incl. IMDS 169.254.169.254)
+ *   172.16.0.0/12    — RFC-1918 class B (172.16–172.31)
+ *   192.168.0.0/16   — RFC-1918 class C
+ */
+function isPrivateIPv4(ip) {
+    const parts = ip.split(".").map(Number);
+    if (parts.length !== 4 || parts.some(p => isNaN(p) || p < 0 || p > 255)) {
+        return false; // not a valid IPv4 — let DNS resolve decide
+    }
+    const [a, b] = parts;
+    if (a === 0)
+        return true; // 0.0.0.0/8
+    if (a === 10)
+        return true; // 10.0.0.0/8
+    if (a === 127)
+        return true; // 127.0.0.0/8 loopback
+    if (a === 169 && b === 254)
+        return true; // 169.254.0.0/16 link-local
+    if (a === 172 && b >= 16 && b <= 31)
+        return true; // 172.16.0.0/12
+    if (a === 192 && b === 168)
+        return true; // 192.168.0.0/16
+    return false;
+}
+/**
+ * Return true if the given IPv6 address string falls into a blocked range.
+ *
+ * Ranges blocked:
+ *   ::1              — loopback
+ *   fc00::/7         — ULA (fc00:: – fdff::)
+ *   fe80::/10        — link-local
+ */
+function isPrivateIPv6(ip) {
+    // Node net.isIPv6 normalises the address but we need the raw string
+    // for prefix checks. Use the compressed form from net.
+    const normalized = ip.toLowerCase().replace(/^\[|\]$/g, "");
+    // Loopback
+    if (normalized === "::1")
+        return true;
+    // For prefix checks, expand just the first 16-bit group
+    const firstGroup = normalized.split(":")[0];
+    const value = parseInt(firstGroup || "0", 16);
+    // fc00::/7 — fc00 to fdff (bit 7 of first byte = 1, bit 6 = 1, bit 5 doesn't matter… easier: 0xfc00–0xfdff range for the first 16 bits)
+    // The /7 prefix means: binary prefix 1111110x — so 0xfc00 to 0xfdff
+    if (value >= 0xfc00 && value <= 0xfdff)
+        return true;
+    // fe80::/10 — fe80 to febf
+    if (value >= 0xfe80 && value <= 0xfebf)
+        return true;
+    return false;
+}
+/**
+ * Check whether a raw IP string (v4 or v6) is a private/internal address.
+ */
+function isPrivateIP(ip) {
+    const stripped = ip.replace(/^\[|\]$/g, ""); // strip IPv6 brackets
+    if (net.isIPv4(stripped))
+        return isPrivateIPv4(stripped);
+    if (net.isIPv6(stripped))
+        return isPrivateIPv6(stripped);
+    return false;
+}
+/**
+ * Check the hostname from a URL — if it's a literal IP, classify immediately.
+ * If it's a hostname, resolve it via DNS and check every returned address.
+ *
+ * Throws SsrfBlockedError if any resolved address is private.
+ * Resolves void if all addresses are public (or DNS fails — fail-open on DNS
+ * errors so a temporary resolver blip doesn't DoS the bot; the risk is low
+ * because the per-host literal-IP checks run before DNS).
+ */
+async function checkHost(hostname, url) {
+    const bare = hostname.replace(/^\[|\]$/g, ""); // strip IPv6 brackets for net.isIP
+    // Literal IP — no DNS needed
+    if (net.isIP(bare)) {
+        if (isPrivateIP(bare)) {
+            throw new SsrfBlockedError(url, `destination ${bare} is a private/loopback/link-local address`);
+        }
+        return;
+    }
+    // Named hostname — also catch obvious loopback hostnames without DNS
+    const lower = bare.toLowerCase();
+    if (lower === "localhost" || lower.endsWith(".localhost") || lower === "::1") {
+        throw new SsrfBlockedError(url, `destination hostname '${bare}' resolves to loopback`);
+    }
+    // DNS resolution — check every returned address
+    try {
+        const { promises: dnsPromises } = dns;
+        const addresses = await dnsPromises.resolve(bare);
+        for (const addr of addresses) {
+            if (isPrivateIP(addr)) {
+                throw new SsrfBlockedError(url, `destination hostname '${bare}' resolves to private address ${addr}`);
+            }
+        }
+    }
+    catch (err) {
+        // Re-throw our own error; swallow DNS failures (fail-open)
+        if (err instanceof SsrfBlockedError)
+            throw err;
+        // DNS error (ENOTFOUND, etc.) — let the actual fetch fail naturally
+    }
+}
+/**
+ * Assert that `url` is safe to fetch (not SSRF-risky).
+ *
+ * - Rejects non-http(s) schemes immediately (synchronous check).
+ * - Resolves hostnames to detect private IP destinations.
+ * - Respects ALLOW_PRIVATE_FETCH=1 for operator opt-out.
+ *
+ * Throws SsrfBlockedError when blocked.
+ * Resolves void when safe.
+ */
+export async function assertSsrfSafe(url) {
+    // Opt-out for trusted local / self-hosted environments
+    if (process.env.ALLOW_PRIVATE_FETCH === "1")
+        return;
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        throw new SsrfBlockedError(url, "invalid URL");
+    }
+    const scheme = parsed.protocol; // includes trailing ':'
+    if (scheme !== "http:" && scheme !== "https:") {
+        throw new SsrfBlockedError(url, `scheme '${parsed.protocol}' is not allowed (only http/https)`);
+    }
+    await checkHost(parsed.hostname, url);
+}

package/dist/services/steer-channel.js

@@ -7,17 +7,22 @@ export class SteerChannel {
     constructor(cap = DEFAULT_CAP) {
         this.cap = cap;
     }
+    /** Push a message into the channel.
+     *  Returns true if the message was accepted, false if it was dropped
+     *  (channel closed or buffer cap reached). Callers must check the
+     *  return value to decide whether to send a 📨 ack or a bufferFull notice. */
     push(text) {
         if (this.closed)
-            return;
+            return false;
         if (this.buf.length >= this.cap) {
             console.warn(`[steer-channel] cap ${this.cap} reached — dropping steer message`);
-            return;
+            return false;
         }
         this.buf.push({ type: "user", message: { role: "user", content: text }, parent_tool_use_id: null });
         const r = this.resolveNext;
         this.resolveNext = null;
         r?.();
+        return true;
     }
     close() {
         if (this.closed)

package/dist/services/subagent-delivery.js

@@ -24,6 +24,22 @@ function isTelegramParseError(err) {
     const haystack = `${e.message ?? ""} ${e.description ?? ""}`;
     return /can't parse entities|can't find end of the entity/i.test(haystack);
 }
+/**
+ * B3 — A Telegram send rejected because the TARGET CHAT DOES NOT EXIST
+ * (HTTP 400 "Bad Request: chat not found"). This is a permanent,
+ * non-recoverable condition: the chat id is invalid (e.g. the stale
+ * chat_id:1 test agent), so every retry will fail identically and just
+ * spam stderr. Distinct from transient failures (network, rate-limit)
+ * which ARE worth retrying. Matched narrowly on the chat-not-found
+ * signature only — never on generic Bad Request.
+ */
+export function isChatNotFoundError(err) {
+    if (!err || typeof err !== "object")
+        return false;
+    const e = err;
+    const haystack = `${e.message ?? ""} ${e.description ?? ""}`;
+    return /chat not found/i.test(haystack);
+}
 /**
  * Send a Markdown message with an automatic plain-text retry on parse
  * errors. Any other error propagates to the caller's outer catch.
@@ -251,28 +267,29 @@ export function createLiveStream(chatId, agentName) {
  *   - "slack" / "discord" / "whatsapp" → delivery-registry lookup
  */
 export async function deliverSubAgentResult(info, result, opts = {}) {
+    const OK = { chatNotFound: false };
     // Implicit spawns: the Task-tool bridge in the main stream has already
     // surfaced the output; extra delivery would be duplication.
     if (info.source === "implicit")
-        return;
+        return OK;
     const effective = opts.visibility ?? getVisibility();
     if (effective === "silent")
-        return;
+        return OK;
     if (!info.parentChatId) {
         console.warn(`[subagent-delivery] missing parentChatId for ${info.name} (source=${info.source})`);
-        return;
+        return OK;
     }
     // v4.14 — Platform routing. Telegram is the default path (unchanged).
     const platform = info.platform ?? "telegram";
     if (platform !== "telegram") {
         await deliverViaRegistry(platform, info, result);
-        return;
+        return OK;
     }
     // ── Telegram path (v4.12.x behavior, unchanged) ──────────────────
     const api = getBotApi();
     if (!api) {
         console.warn(`[subagent-delivery] no bot api available for ${info.name}`);
-        return;
+        return OK;
     }
     // Telegram's chatId is always a number at runtime; defensive cast.
     const tgChatId = typeof info.parentChatId === "number"
@@ -280,7 +297,7 @@ export async function deliverSubAgentResult(info, result, opts = {}) {
         : Number(info.parentChatId);
     if (!Number.isFinite(tgChatId)) {
         console.warn(`[subagent-delivery] invalid telegram chatId for ${info.name}`);
-        return;
+        return OK;
     }
     const banner = buildBanner(info, result);
     const body = result.output?.trim() || `(empty output)`;
@@ -297,12 +314,12 @@ export async function deliverSubAgentResult(info, result, opts = {}) {
                 console.error(`[subagent-delivery] file upload failed:`, err);
                 await api.sendMessage(tgChatId, body.slice(0, MAX_TG_CHUNK));
             }
-            return;
+            return OK;
         }
         // Case 2: fits in a single message → banner + body joined
         if (body.length + banner.length + 2 <= MAX_TG_CHUNK) {
             await sendWithMarkdownFallback(api, tgChatId, `${banner}\n\n${body}`);
-            return;
+            return OK;
         }
         // Case 3: medium output → banner as its own message, body chunked
         await sendWithMarkdownFallback(api, tgChatId, banner);
@@ -311,9 +328,15 @@ export async function deliverSubAgentResult(info, result, opts = {}) {
             // arbitrary chunk boundaries would be inconsistent anyway.
             await api.sendMessage(tgChatId, body.slice(i, i + MAX_TG_CHUNK));
         }
+        return OK;
     }
     catch (err) {
         console.error(`[subagent-delivery] send failed for ${info.name}:`, err);
+        // B3 — report a permanent invalid-target failure so the watcher can
+        // abandon this agent instead of retrying it forever. Any other error
+        // (network, rate-limit, parse) is NOT reported as chatNotFound, so the
+        // agent's normal retry/timeout lifecycle is unchanged.
+        return { chatNotFound: isChatNotFoundError(err) };
     }
 }
 /**

package/dist/services/telegram.js

@@ -17,6 +17,15 @@ export class TelegramStreamer {
         this.api = api;
         this.replyTo = replyToMessageId;
     }
+    /**
+     * True when at least one message has been sent to the user (i.e. messageId
+     * is set). Used by the A3 suppress-undelivered guard in message.ts to
+     * determine whether visible text has already reached the user — if so, the
+     * no-retract invariant prevents suppressing the final send.
+     */
+    get hasSentText() {
+        return this.messageId !== null;
+    }
     /**
      * Set a transient status line (e.g. "📖 Read file.html…") that gets
      * appended to the current accumulated text. Passing null clears it.

package/dist/services/trends.js

@@ -33,12 +33,81 @@
  *   ALVIN_TRENDS_INTERVAL_HOURS=24         → snapshot cadence
  *   ALVIN_TRENDS_AI_AFTER_DAYS=7           → days of data before AI analysis kicks in
  */
-import { appendFileSync, existsSync, readFileSync, mkdirSync } from "fs";
+import { appendFileSync, existsSync, readFileSync, writeFileSync, mkdirSync } from "fs";
 import { join, dirname } from "path";
 import { homedir } from "os";
 import { BOT_VERSION } from "../version.js";
 import { emitCritical } from "./critical-notify.js";
 const TRENDS_PATH = join(homedir(), ".alvin-bot", "state", "trends.jsonl");
+/**
+ * B2 — peak-uptime high-water mark. The trends collector takes its FIRST
+ * snapshot ~60s after every boot (startTrendsCollector schedules it at
+ * 60_000ms). takeSnapshot() records uptime_s = process.uptime(), so the
+ * first post-restart sample is structurally ≈ 62s. With deliberate
+ * restarts (/update, launchctl reload) those ~62s samples dominate
+ * trends.jsonl, so the 30-day AI pass perpetually concludes "restart
+ * loop, never lives past ~62s" even when the process has actually been
+ * continuously up for hours by the time the daily snapshot fires.
+ *
+ * Fix: persist the MAXIMUM real uptime this bot has ever observed (across
+ * process generations) and record it on every snapshot as uptime_peak_s.
+ * The peak only ever derives from process.uptime() — it is never
+ * fabricated or extrapolated. The anomaly evaluation then keys on the
+ * peak (hasRepresentativeUptime), so a process that genuinely lived for
+ * hours is not flagged as a ~62s loop, while a genuine fast-restart loop
+ * (peak never climbs past the startup transient) still fires.
+ *
+ * Stored next to trends.jsonl (state/), honoring ALVIN_DATA_DIR so tests
+ * and non-default installs work. Survives restarts by design — that is
+ * the whole point of a high-water mark.
+ */
+function trendsStateDir() {
+    const base = process.env.ALVIN_DATA_DIR || join(homedir(), ".alvin-bot");
+    return join(base, "state");
+}
+function uptimePeakPath() {
+    return join(trendsStateDir(), "uptime-peak.json");
+}
+/**
+ * The startup transient: takeSnapshot's first sample is taken ~60s after
+ * boot, so any uptime at/under this is indistinguishable from "just
+ * restarted". An uptime ABOVE this proves the process actually lived past
+ * the post-restart sampling window. 600s (10 min) is comfortably above
+ * the 60s first-sample delay + scheduling jitter and far below the 24h
+ * cron cadence, so a healthy bot trivially clears it while a real
+ * crash-loop (exits within seconds/a couple minutes) never does.
+ */
+export const STARTUP_TRANSIENT_S = 600;
+/**
+ * Read the persisted peak uptime, fold in the CURRENT real uptime, persist
+ * the (possibly larger) high-water mark, and return it. Pure w.r.t. time
+ * sources: the only uptime input is process.uptime() — nothing invented.
+ * Disk failures degrade gracefully to the current real uptime.
+ */
+function bumpAndReadUptimePeak() {
+    const currentReal = Math.round(process.uptime());
+    let stored = 0;
+    try {
+        const raw = readFileSync(uptimePeakPath(), "utf-8");
+        const parsed = JSON.parse(raw);
+        if (typeof parsed.peak_s === "number" && Number.isFinite(parsed.peak_s) && parsed.peak_s > 0) {
+            stored = parsed.peak_s;
+        }
+    }
+    catch {
+        // No file yet / unreadable — start the high-water mark from the
+        // current real uptime. Not an error.
+    }
+    const peak = Math.max(stored, currentReal);
+    try {
+        mkdirSync(trendsStateDir(), { recursive: true });
+        writeFileSync(uptimePeakPath(), JSON.stringify({ peak_s: peak }), "utf-8");
+    }
+    catch {
+        // Disk full / permissions — non-fatal; we still return the in-memory peak.
+    }
+    return peak;
+}
 const DEFAULT_INTERVAL_HOURS = 24;
 const DEFAULT_AI_THRESHOLD_DAYS = 7;
 const MAX_RETAIN_DAYS = 90;
@@ -54,6 +123,18 @@ const MAX_RETAIN_DAYS = 90;
  *     (a successful, expected fallback — not an error)
  *   - critical-notify's own delivery-outcome line, kept on stderr on
  *     purpose so it stays visible even in brake/crash context
+ *   - B3: subagent-delivery's "send failed … chat not found" line for a
+ *     stale/test async-agent whose delivery target chat no longer exists
+ *     (e.g. the recurring chat_id:1 test agent). This is benign noise,
+ *     not a real fault: the target chat is invalid, the watcher now
+ *     abandons such agents (see async-agent-watcher.ts), and counting it
+ *     made errors_24h creep upward indefinitely on every poll cycle.
+ *     The match is DELIBERATELY narrow — it requires BOTH the
+ *     `[subagent-delivery] send failed` prefix AND a `chat not found`
+ *     cause on the same line. A subagent-delivery failure for ANY other
+ *     reason (network, rate-limit, parse) is still counted, and a
+ *     `chat not found` from ANY OTHER subsystem (a real misconfigured
+ *     target) is still counted.
  *
  * Counting those turned this very monitor into a false-alarm generator:
  * it flagged its OWN log lines plus every release's restart churn, so
@@ -65,7 +146,7 @@ const MAX_RETAIN_DAYS = 90;
  * any, get added here in one place instead of being chased across the
  * codebase.
  */
-export const ERR_LOG_PATTERN = /^(?!.*(?:\[critical-notify\]|\[subagent-delivery\] Markdown parse failed)).+/;
+export const ERR_LOG_PATTERN = /^(?!.*(?:\[critical-notify\]|\[subagent-delivery\] Markdown parse failed|\[subagent-delivery\] send failed.*chat not found)).+/;
 let trendsTimer = null;
 function isDisabled() {
     return (process.env.ALVIN_DISABLE_TRENDS === "true" ||
@@ -134,6 +215,7 @@ function takeSnapshot(activeProvider) {
     return {
         ts: new Date().toISOString(),
         uptime_s: Math.round(process.uptime()),
+        uptime_peak_s: bumpAndReadUptimePeak(),
         rss_mb: Math.round(mem.rss / 1024 / 1024),
         heap_mb: Math.round(mem.heapUsed / 1024 / 1024),
         crashes_24h: readWatchdogCrashes24h(),
@@ -195,6 +277,92 @@ SUGGESTION: <one shell command OR observation for the operator>
 --- LAST {N} DAYS OF SNAPSHOTS ---
 {SNAPSHOTS}
 --- END ---`;
+/**
+ * Returns true if at least one snapshot in `snaps` has a non-zero
+ * crashes_24h value, meaning a REAL crash (not an expected/deliberate
+ * restart) was recorded on that day.
+ *
+ * After the B1 fix, deliberate restarts (SIGTERM / launchctl reload /
+ * /restart / /update) write the expectedRestart beacon flag and are NOT
+ * counted in dailyCrashCount. So crashes_24h === 0 across all snapshots
+ * means the bot was only restarted intentionally — no real crash evidence.
+ *
+ * Pure function, exported for unit testing.
+ */
+export function hasRealCrashEvidence(snaps) {
+    return snaps.some((s) => typeof s.crashes_24h === "number" && s.crashes_24h > 0);
+}
+/**
+ * B2 — Returns true if AT LEAST ONE snapshot proves the bot process
+ * genuinely lived past the startup transient (i.e. it is NOT a ~62s
+ * restart loop).
+ *
+ * The first per-boot snapshot is structurally taken ~60s after boot, so
+ * its raw uptime_s is always ≈ 62 regardless of how long the process
+ * subsequently runs. uptime_peak_s is the high-water mark of REAL
+ * process.uptime() carried across process generations, so a single
+ * snapshot whose peak exceeds STARTUP_TRANSIENT_S is hard evidence the
+ * process did live for a representative duration. Legacy pre-B2 lines
+ * have no uptime_peak_s — we fall back to their raw uptime_s, so a legacy
+ * 24h cron snapshot still counts as representative on its own.
+ *
+ * A genuine fast-restart loop never lets the peak climb past the
+ * transient, so it correctly returns false and the WARN still fires.
+ *
+ * Pure function, exported for unit testing.
+ */
+export function hasRepresentativeUptime(snaps) {
+    return snaps.some((s) => {
+        const peak = typeof s.uptime_peak_s === "number" && Number.isFinite(s.uptime_peak_s)
+            ? s.uptime_peak_s
+            : typeof s.uptime_s === "number" && Number.isFinite(s.uptime_s)
+                ? s.uptime_s
+                : 0;
+        return peak > STARTUP_TRANSIENT_S;
+    });
+}
+/**
+ * B2/B4 — Pure crash/restart WARN suppression decision.
+ *
+ * Encodes the SAME two gates, in the SAME precedence, that dailyTask
+ * applies inline (B2 before B4). Extracted as a pure function purely so
+ * the gate COMPOSITION (not just each helper in isolation) is unit
+ * testable — the helpers are individually correct but the interaction
+ * is where the real-crash-loop-after-a-healthy-period regression lives.
+ *
+ * Returns the suppression reason, or "none" when the WARN must fire.
+ *
+ *  - "representative-uptime" (B2): a deliberate-restart / sampling
+ *    artifact — the AI saw ~62s uptimes but a snapshot peak proves the
+ *    process actually lived past the startup transient. ONLY applies
+ *    when there is no real crash evidence: a genuine crash loop after a
+ *    prior healthy period still carries the persisted high peak, so
+ *    without the crash-evidence guard B2 would permanently and silently
+ *    swallow it. With the guard, crashes_24h>0 falls through to B4.
+ *  - "no-crash-evidence" (B4): crash/restart pattern but crashes_24h===0
+ *    everywhere (deliberate-restart-only, not a real crash loop).
+ *  - "none": the WARN is real and must be emitted.
+ *
+ * Pure function, exported for unit testing.
+ */
+export function evaluateCrashRestartSuppression(isCrashRestartPattern, snaps) {
+    if (!isCrashRestartPattern)
+        return "none";
+    const realCrash = hasRealCrashEvidence(snaps);
+    // B2: only the deliberate-restart / sampling-artifact case. A real
+    // crash loop (crashes_24h>0) must NOT be suppressed here even though
+    // the persisted uptime high-water mark still reads representative.
+    if (!realCrash && hasRepresentativeUptime(snaps))
+        return "representative-uptime";
+    // B4: crash/restart pattern with zero real crash evidence.
+    if (!realCrash)
+        return "no-crash-evidence";
+    return "none";
+}
+/** Test-only: take a snapshot without writing to trends.jsonl. */
+export function __takeSnapshotForTest(activeProvider) {
+    return takeSnapshot(activeProvider);
+}
 function parseTrendResponse(text) {
     if (/^ANOMALY:\s*NONE/im.test(text)) {
         return {
@@ -296,6 +464,38 @@ async function dailyTask(registry) {
             console.log(`📊 Trends AI: no anomaly detected`);
             return;
         }
+        const recentSnaps = readSnapshots(30);
+        const isCrashRestartPattern = /crash|restart|loop|uptime/i.test(result.description);
+        // B2 gate: suppress an "uptime stuck at ~62s / restart loop" WARN when
+        // the snapshots PROVE the process actually lived past the startup
+        // transient. The first per-boot snapshot is structurally sampled ~60s
+        // after boot, so raw uptime_s reads ≈62 even for a perfectly healthy
+        // bot that has been up for hours by the time the daily snapshot fires.
+        // uptime_peak_s is the high-water mark of real process.uptime() across
+        // process generations: if ANY snapshot's peak exceeds the transient,
+        // the "~62s loop" conclusion is factually false. A genuine fast-restart
+        // loop never lets the peak climb, so it is NOT suppressed here.
+        if (isCrashRestartPattern && !hasRealCrashEvidence(recentSnaps) && hasRepresentativeUptime(recentSnaps)) {
+            console.log(`📊 Trends AI: suppressed WARN "${result.description}" — ` +
+                `uptime/restart pattern flagged but at least one snapshot shows a ` +
+                `representative peak uptime (>${STARTUP_TRANSIENT_S}s); the process ` +
+                `did live well past the post-restart sampling window, not a ~62s loop`);
+            return;
+        }
+        // B4 gate: suppress WARN when the AI flags a crash/restart-loop pattern
+        // but the historical snapshots contain ZERO real crash evidence
+        // (crashes_24h === 0 across the board). This happens when the bot was
+        // restarted deliberately (launchctl reload / /update / /restart) — those
+        // produce low uptimes that the AI reads as "restart loop", but the
+        // crash counter stays at 0 because markExpectedRestart() was written
+        // on each clean shutdown. A real crash loop WILL have crashes_24h > 0
+        // in at least one snapshot and will still fire the WARN.
+        if (isCrashRestartPattern && !hasRealCrashEvidence(recentSnaps)) {
+            console.log(`📊 Trends AI: suppressed WARN "${result.description}" — ` +
+                `crash/restart pattern detected but crashes_24h=0 across all snapshots ` +
+                `(deliberate-restart-only, not a real crash loop)`);
+            return;
+        }
         console.log(`📊 Trends AI: ANOMALY (${result.severity}) — ${result.description}`);
         emitCritical({
             category: "custom",

package/dist/services/voice.js

@@ -21,9 +21,6 @@ export async function transcribeAudio(audioPath) {
     const bodyEnd = Buffer.from(`\r\n--${boundary}\r\n` +
         `Content-Disposition: form-data; name="model"\r\n\r\n` +
         `whisper-large-v3-turbo\r\n` +
-        `--${boundary}\r\n` +
-        `Content-Disposition: form-data; name="language"\r\n\r\n` +
-        `de\r\n` +
         `--${boundary}--\r\n`, "utf-8");
     const fullBody = Buffer.concat([bodyStart, fileBuffer, bodyEnd]);
     return new Promise((resolve, reject) => {