bloby-bot 0.53.10 → 0.54.11

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bloby-bot",
-  "version": "0.53.10",
+  "version": "0.54.11",
   "releaseNotes": [
     "1. New Morphy animation system: config-driven sprites loaded from /morphy/*.json",
     "2. Swapped teleporting (splash) and headphones (bubble + chat) to the new format",
@@ -61,7 +61,7 @@
     "@streamdown/code": "^1.1.1",
     "@tailwindcss/vite": "^4.2.0",
     "@vitejs/plugin-react": "^6.0.1",
-    "@whiskeysockets/baileys": "^7.0.0-rc11",
+    "@whiskeysockets/baileys": "7.0.0-rc13",
     "better-sqlite3": "^12.6.2",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",

package/shared/config.ts

@@ -11,6 +11,11 @@ export interface ChannelConfig {
   skill?: string;
   /** Opt-in: process messages in group chats (default false). Channel mode ignores this. */
   allowGroups?: boolean;
+  /** Assistant mode only. When false (default) ONLY the account owner can trigger the agent
+   *  with `@botname`. When true, ANYONE who tags the bot (in a DM or group) can drive it.
+   *  DANGER: the triggerer gains control of an agent that can run Bash, edit files, etc.
+   *  Only enable for fully trusted shared use (e.g. a partner). See the WhatsApp SKILL.md. */
+  allowOthersToTrigger?: boolean;
 }
 
 export interface AlexaChannelConfig {

package/supervisor/backend.ts

@@ -14,6 +14,15 @@ let intentionallyStopped = false;
 let gaveUp = false;
 const MAX_RESTARTS = 3;
 const STABLE_THRESHOLD = 30_000; // 30s — if backend ran this long, it wasn't a crash loop
+// Rolling-window backstop: the 30s "stable" rule resets the consecutive counter, so a backend
+// that crashes every ~35s would otherwise restart forever. Give up if it crashes too often within
+// the window (kept generous so a legitimately long-running-then-crashing backend isn't penalized).
+let crashTimes: number[] = [];
+const CRASH_WINDOW_MS = 5 * 60_000; // 5 min
+const CRASH_WINDOW_MAX = 6;         // > this many crashes in the window → give up regardless of the 30s reset
+// Called once when the backend gives up, so the supervisor can tell the live chat (which exists
+// precisely so the user can be told to fix it). Set via setBackendGiveUpHandler; logging-only default.
+let onGiveUp: (() => void) | null = null;
 
 /** Extra env vars injected into every backend spawn (e.g. BLOBY_AGENT_SECRET) */
 let extraEnv: Record<string, string> = {};
@@ -23,6 +32,12 @@ export function setBackendEnv(env: Record<string, string>): void {
   extraEnv = { ...extraEnv, ...env };
 }
 
+/** Register a callback fired once when the backend gives up (crash-looped past the limits).
+ *  The supervisor wires this to broadcast a chat event so the user is told to fix it. */
+export function setBackendGiveUpHandler(fn: () => void): void {
+  onGiveUp = fn;
+}
+
 const LOG_FILE = path.join(WORKSPACE_DIR, '.backend.log');
 
 export function getBackendPort(basePort: number): number {
@@ -101,18 +116,24 @@ export function spawnBackend(port: number): ChildProcess {
 
     // Any unexpected exit (crash, SIGTERM, OOM, null code) — restart
     log.warn(`Backend exited unexpectedly (code ${code})`);
-    // If backend was alive for >30s, it's not a crash loop — reset counter
-    if (Date.now() - lastSpawnTime > STABLE_THRESHOLD) {
+    // Track crashes in a rolling window (backstop for the 30s-reset crash-loop hole).
+    const now = Date.now();
+    crashTimes = crashTimes.filter((t) => now - t < CRASH_WINDOW_MS);
+    crashTimes.push(now);
+    const windowExceeded = crashTimes.length > CRASH_WINDOW_MAX;
+    // If backend was alive for >30s, it's not a crash loop — reset the consecutive counter.
+    if (now - lastSpawnTime > STABLE_THRESHOLD) {
       restarts = 0;
     }
-    if (restarts < MAX_RESTARTS) {
+    if (!windowExceeded && restarts < MAX_RESTARTS) {
       restarts++;
       const delay = Math.min(1000 * restarts, 5000);
       log.info(`Restarting backend (${restarts}/${MAX_RESTARTS}, delay ${delay}ms)...`);
       setTimeout(() => spawnBackend(port), delay);
     } else {
       gaveUp = true;
-      log.error('Backend failed too many times. Use Bloby chat to debug.');
+      log.error(`Backend failed too many times${windowExceeded ? ` (${crashTimes.length} crashes in ${CRASH_WINDOW_MS / 60000}min)` : ''}. Use Bloby chat to debug.`);
+      try { onGiveUp?.(); } catch {}
     }
   });
 
@@ -212,4 +233,8 @@ export function isBackendStopping(): boolean {
 
 export function resetBackendRestarts(): void {
   restarts = 0;
+  // A deliberate restart (file edit, user fix, scheduler) is a fresh attempt — clear the rolling
+  // crash window too so a just-fixed backend gets a clean slate (deliberate stops never record a
+  // crash, so this only matters right after a give-up + fix).
+  crashTimes = [];
 }

package/supervisor/channels/manager.ts

@@ -83,6 +83,11 @@ interface DebounceEntry {
 /** Per-conversation accumulator for streaming bot text → WhatsApp. */
 export interface WaStreamState {
   chunkBuf: string;
+  /** True once the CURRENT turn has consumed its routing target (via `bot:response` or
+   *  `bot:error`). Reset on `bot:turn-complete`. Guards the turn-complete safety-net drain so a
+   *  normal turn — which already consumed on `bot:response` — never double-drains and eats the
+   *  NEXT queued message's target (the root cause of chat↔WhatsApp bleed and DM-answered-in-group). */
+  consumedThisTurn?: boolean;
 }
 
 /** Agent-turn events that carry per-turn content. Broadcast only for dashboard surfaces
@@ -489,6 +494,7 @@ export class ChannelManager {
 
     if (type === 'bot:response' && eventData?.content && convId) {
       const target = this.consumeRoute(convId);
+      state.consumedThisTurn = true;
       const remaining = state.chunkBuf.trim();
       state.chunkBuf = '';
 
@@ -514,20 +520,46 @@ export class ChannelManager {
       return;
     }
 
-    // Turn ended (or errored) without a bot:response — drain the head entry so it
-    // doesn't bleed into the next turn's reply. The SDK guarantees one response per
-    // pushed input; this safety net covers aborts, empty turns, and provider errors.
-    if ((type === 'bot:turn-complete' || type === 'bot:error') && convId) {
-      const head = this.peekRoute(convId);
-      if (head) {
+    // Turn errored without a usable reply — drain THIS turn's route so it can't bleed into the
+    // next turn. Guarded by `consumedThisTurn`: if `bot:response` already fired this turn it
+    // consumed the target, so we must NOT drain again.
+    if (type === 'bot:error' && convId) {
+      if (!state.consumedThisTurn) {
         const dropped = this.consumeRoute(convId);
-        log.warn(`[channels] ${type} without bot:response — dropping pending route (surface=${dropped?.surface}, to=${dropped?.waSendTo || 'none'})`);
-        if (dropped?.surface === 'alexa') {
-          const alexa = this.providers.get('alexa') as AlexaChannel | undefined;
-          alexa?.rejectHead(convId, type);
+        if (dropped) {
+          log.warn(`[channels] bot:error without bot:response — dropping pending route (surface=${dropped.surface}, to=${dropped.waSendTo || 'none'})`);
+          if (dropped.surface === 'alexa') {
+            const alexa = this.providers.get('alexa') as AlexaChannel | undefined;
+            alexa?.rejectHead(convId, type);
+          }
         }
+        state.consumedThisTurn = true;
       }
       state.chunkBuf = '';
+      return;
+    }
+
+    // Turn finished. Drain the head ONLY if this turn never consumed its route — i.e. a true
+    // empty turn (no `bot:response`, no `bot:error`; see harness claude.ts which always emits
+    // `bot:turn-complete` after every result). A normal turn already consumed on `bot:response`,
+    // so draining here would eat the NEXT queued message's target and every later reply would
+    // land on the wrong surface (chat↔WhatsApp bleed, DM answered in a group). Reset the per-turn
+    // flag afterwards so the next turn starts clean. Turns are strictly sequential per conversation
+    // (single input queue, one `result` at a time), so this per-conversation flag is race-free.
+    if (type === 'bot:turn-complete' && convId) {
+      if (!state.consumedThisTurn) {
+        const head = this.peekRoute(convId);
+        if (head) {
+          const dropped = this.consumeRoute(convId);
+          log.warn(`[channels] turn-complete without bot:response — dropping pending route (surface=${dropped?.surface}, to=${dropped?.waSendTo || 'none'})`);
+          if (dropped?.surface === 'alexa') {
+            const alexa = this.providers.get('alexa') as AlexaChannel | undefined;
+            alexa?.rejectHead(convId, type);
+          }
+        }
+      }
+      state.consumedThisTurn = false;
+      state.chunkBuf = '';
     }
   }
 
@@ -556,6 +588,22 @@ export class ChannelManager {
     return config.channels?.[channel];
   }
 
+  /** Robust "is this the account owner's own self-chat?" check.
+   *
+   *  Keys purely on JID equality (`isSelfChat` — the chat resolves to the owner's OWN number,
+   *  computed in whatsapp.ts from `ownPhoneJid` + LID translation). This is authoritative and is
+   *  UNAFFECTED by Baileys' `fromMe` decode regressions (e.g. the rc11→rc13 protocolMessage
+   *  `fromMe=false` bug): the chat JID of a self-message is still the owner's own number even when
+   *  `fromMe` decodes wrong. So we deliberately do NOT also require `fromMe` (which the old gate
+   *  did — that's what silently dropped self-messages under rc11).
+   *
+   *  We also deliberately do NOT treat `fromMe` alone as self-chat: `fromMe` is true for the owner
+   *  messaging a CONTACT from a linked device too, so a `fromMe`-based OR would misroute those into
+   *  the admin brain. Only own-number JID equality is safe and false-positive-free. */
+  private isOwnerSelfChat(isSelfChat: boolean, isGroup: boolean): boolean {
+    return !isGroup && isSelfChat;
+  }
+
   /** Handle an incoming message from any channel — debounces rapid messages from the same sender.
    *
    * Per-mode behavior is decided here. To add a new mode: extend the gating block below
@@ -586,26 +634,36 @@ export class ChannelManager {
       if (!channelConfig.allowGroups) return;
     }
 
+    // Owner self-chat — JID-based, immune to Baileys `fromMe` decode regressions.
+    const selfChat = this.isOwnerSelfChat(isSelfChat, isGroup);
+
     // ── Channel mode: ONLY respond to self-chat ──
     if (mode === 'channel') {
-      if (!fromMe || !isSelfChat) return;
+      if (!selfChat) return;
     }
 
-    // ── Business mode: filter outgoing (except self-chat) ──
-    if (mode === 'business' && fromMe && !isSelfChat) return;
+    // ── Business mode: filter outgoing to others (your messages to customers, not self-chat) ──
+    if (mode === 'business' && fromMe && !selfChat) return;
 
     // ── Assistant mode ──
     // Self-chat: falls through to debounce (processed as admin)
-    // Others' messages or my untriggered messages: store for context, don't invoke
-    // My messages with @botname trigger: falls through to debounce → agent
-    if (mode === 'assistant' && !(fromMe && isSelfChat)) {
+    // Others' messages or untriggered messages: store for context, don't invoke
+    // Triggered messages: fall through to debounce → agent (owner always; others only if opted-in)
+    if (mode === 'assistant' && !selfChat) {
       // Store every message for context (both mine and theirs) — keyed by the chat (group or 1:1)
       this.storeAssistantContext(channel, chatJid, senderName, text, fromMe);
 
-      // Only continue if it's me AND the message contains the trigger
+      // Trigger must be present.
       const botName = loadConfig().username || 'bloby';
       const triggerPattern = new RegExp(`(?:^|\\n)\\s*@${botName}[:\\s]`, 'i');
-      if (!fromMe || !triggerPattern.test(text)) return;
+      if (!triggerPattern.test(text)) return;
+
+      // Who may drive the agent? By default ONLY the account owner (fromMe). When the channel is
+      // explicitly configured with `allowOthersToTrigger`, anyone who tags the bot can — a
+      // deliberately dangerous shared-control mode (the triggerer gets an agent with Bash, file
+      // access, etc.; see the WhatsApp SKILL.md disclaimer).
+      const allowOthers = channelConfig.allowOthersToTrigger === true;
+      if (!fromMe && !allowOthers) return;
       // Falls through to debounce → flushDebounce → handleAssistantMessage
     }
 
@@ -660,8 +718,12 @@ export class ChannelManager {
     // Reply identifier — strip JID suffix to get a stable id (phone for 1:1, group hash for groups)
     const chatId = chatJid.replace(/@.*/, '');
 
+    // Owner self-chat — JID-based, immune to Baileys `fromMe` decode regressions (matches the
+    // gate in handleInboundMessage so a self-message can't pass one check and fail the other).
+    const selfChat = this.isOwnerSelfChat(isSelfChat, isGroup);
+
     // Route based on mode and role
-    if (mode === 'channel' || (mode === 'business' && fromMe && isSelfChat) || (mode === 'assistant' && fromMe && isSelfChat)) {
+    if (mode === 'channel' || (mode === 'business' && selfChat) || (mode === 'assistant' && selfChat)) {
       // Admin (self-chat in any mode)
       const message: InboundMessage = {
         channel,

package/supervisor/channels/types.ts

@@ -15,6 +15,11 @@ export interface ChannelConfig {
   skill?: string;
   /** Opt-in: process messages in group chats (default false). Channel mode ignores this. */
   allowGroups?: boolean;
+  /** Assistant mode only. When false (default) ONLY the account owner (fromMe) can trigger
+   *  the agent with `@botname`. When true, ANYONE who tags the bot (DM or group) can drive it.
+   *  DANGER: the triggerer gains full control of an agent that can run Bash, edit files, etc.
+   *  Enable only for fully trusted shared use. See the WhatsApp SKILL.md disclaimer. */
+  allowOthersToTrigger?: boolean;
 }
 
 export interface InboundMessageAttachment {

package/supervisor/chat/src/components/Chat/EnvForm.tsx

@@ -1,5 +1,6 @@
 import { useState } from 'react';
 import { Check, KeyRound, Loader2, AlertCircle } from 'lucide-react';
+import { authFetch } from '../../lib/auth';
 
 export interface EnvField {
   name: string;
@@ -34,7 +35,7 @@ export default function EnvForm({ group }: Props) {
     setErrorMsg('');
 
     try {
-      const res = await fetch('/api/env', {
+      const res = await authFetch('/api/env', {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({ vars: Object.fromEntries(filled) }),

package/supervisor/harnesses/claude.ts

@@ -191,7 +191,7 @@ async function buildConversationOptions(
   recentMessages?: RecentMessage[],
 ): Promise<Omit<Options, 'abortController' | 'stderr'>> {
   const memoryFiles = readMemoryFiles();
-  const basePrompt = await assembleSystemPrompt(names?.botName, names?.humanName);
+  const basePrompt = await assembleSystemPrompt(names?.botName, names?.humanName, 'claude');
   let systemPrompt = basePrompt;
   systemPrompt += `\n\n---\n# Your Memory Files\n\n## MYSELF.md\n${memoryFiles.myself}\n\n## MYHUMAN.md\n${memoryFiles.myhuman}\n\n## MEMORY.md\n${memoryFiles.memory}\n\n---\n# Your Config Files\n\n## PULSE.json\n${memoryFiles.pulse}\n\n## CRONS.json\n${memoryFiles.crons}`;
 
@@ -594,7 +594,7 @@ export async function startBlobyAgentQuery(
   if (supportPrompt) {
     enrichedPrompt = supportPrompt;
   } else {
-    const basePrompt = await assembleSystemPrompt(names?.botName, names?.humanName);
+    const basePrompt = await assembleSystemPrompt(names?.botName, names?.humanName, 'claude');
     enrichedPrompt = basePrompt;
     enrichedPrompt += `\n\n---\n# Your Memory Files\n\n## MYSELF.md\n${memoryFiles.myself}\n\n## MYHUMAN.md\n${memoryFiles.myhuman}\n\n## MEMORY.md\n${memoryFiles.memory}\n\n---\n# Your Config Files\n\n## PULSE.json\n${memoryFiles.pulse}\n\n## CRONS.json\n${memoryFiles.crons}`;
 
@@ -614,6 +614,15 @@ export async function startBlobyAgentQuery(
 
   activeQueries.set(conversationId, { abortController });
 
+  // Hard watchdog: a hung CLI subprocess (network stall, stuck MCP) would otherwise leave the
+  // `for await` loop pending forever — the finally never runs, bot:done never fires, and the
+  // caller's per-conversation slot (WhatsApp activeAgents / scheduler) is pinned for good. Abort
+  // after 5 min so the finally always emits bot:done. Cleared on normal completion.
+  const watchdog = setTimeout(() => {
+    log.warn(`[bloby-agent] One-shot query timed out (5m) — aborting conv=${conversationId}`);
+    abortController.abort();
+  }, 300_000);
+
   let fullText = '';
   const usedTools = new Set<string>();
   let stderrBuf = '';
@@ -705,6 +714,7 @@ export async function startBlobyAgentQuery(
       onMessage('bot:error', { conversationId, error: errMsg });
     }
   } finally {
+    clearTimeout(watchdog);
     activeQueries.delete(conversationId);
     const FILE_TOOLS = ['Write', 'Edit', 'MultiEdit', 'NotebookEdit'];
     const usedFileTools = FILE_TOOLS.some((t) => usedTools.has(t));