bloby-bot 0.53.8 → 0.53.10

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bloby-bot",
-  "version": "0.53.8",
+  "version": "0.53.10",
   "releaseNotes": [
     "1. New Morphy animation system: config-driven sprites loaded from /morphy/*.json",
     "2. Swapped teleporting (splash) and headphones (bubble + chat) to the new format",

package/supervisor/chat/bloby-main.tsx

@@ -197,7 +197,7 @@ function BlobyApp() {
         const reg = await navigator.serviceWorker.ready;
         const subscription = await reg.pushManager.getSubscription();
         if (subscription) {
-          const res = await fetch(`/api/push/status?endpoint=${encodeURIComponent(subscription.endpoint)}`);
+          const res = await authFetch(`/api/push/status?endpoint=${encodeURIComponent(subscription.endpoint)}`);
           const data = await res.json();
           setPushState(data.subscribed ? 'subscribed' : 'unsubscribed');
         } else {

package/supervisor/chat/src/hooks/useChat.ts

@@ -1,5 +1,6 @@
 import { useCallback, useEffect, useState, useRef } from 'react';
 import type { WsClient } from '../lib/ws-client';
+import { authFetch } from '../lib/auth';
 
 export interface StoredAttachment {
   type: string;
@@ -45,7 +46,7 @@ export function useChat(ws: WsClient | null) {
   useEffect(() => {
     if (loaded.current) return;
     loaded.current = true;
-    fetch('/api/context/current')
+    authFetch('/api/context/current')
       .then((r) => r.json())
       .then((data) => {
         if (data.conversationId) {
@@ -58,7 +59,7 @@ export function useChat(ws: WsClient | null) {
   // Load messages when conversationId is set
   useEffect(() => {
     if (!conversationId) return;
-    fetch(`/api/conversations/${conversationId}`)
+    authFetch(`/api/conversations/${conversationId}`)
       .then((r) => {
         if (!r.ok) throw new Error('not found');
         return r.json();
@@ -105,7 +106,7 @@ export function useChat(ws: WsClient | null) {
       .catch(() => {
         // Conversation gone — clear
         setConversationId(null);
-        fetch('/api/context/clear', { method: 'POST' }).catch(() => {});
+        authFetch('/api/context/clear', { method: 'POST' }).catch(() => {});
       });
   }, [conversationId]);
 
@@ -114,7 +115,7 @@ export function useChat(ws: WsClient | null) {
   useEffect(() => {
     if (conversationId && conversationId !== prevConvId.current) {
       prevConvId.current = conversationId;
-      fetch('/api/context/set', {
+      authFetch('/api/context/set', {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({ conversationId }),
@@ -274,7 +275,7 @@ export function useChat(ws: WsClient | null) {
     setTools([]);
     prevConvId.current = null;
     loaded.current = false;
-    fetch('/api/context/clear', { method: 'POST' }).catch(() => {});
+    authFetch('/api/context/clear', { method: 'POST' }).catch(() => {});
   }, []);
 
   return { messages, streaming, streamBuffer, conversationId, tools, sendMessage, stopStreaming, clearContext };

package/supervisor/index.ts

@@ -237,13 +237,63 @@ self.addEventListener('notificationclick', function(event) {
 });
 `;
 
-const RECOVERING_HTML = `<!DOCTYPE html><html style="background:#222122"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>Bloby</title>
-<style>@keyframes _fs{to{transform:rotate(360deg)}}body{background:#222122;margin:0}</style></head>
-<body><div style="background:#222122;color:#fff;display:flex;flex-direction:column;align-items:center;justify-content:center;height:100dvh;width:100vw;font-family:system-ui,-apple-system,sans-serif">
-<img src="/morphy-icon-192.png" width="56" height="56" style="border-radius:14px;margin-bottom:20px" alt="" />
-<div style="width:18px;height:18px;border:2px solid rgba(255,255,255,0.12);border-top-color:rgba(255,255,255,0.7);border-radius:50%;animation:_fs .6s linear infinite"></div>
-</div><script>setTimeout(function(){location.reload()},3000)</script>
-<script src="/bloby/widget.js"></script></body></html>`;
+// Shown when the dashboard's Vite dev server is briefly unreachable (startup, restart, or a
+// crash). This is a transient "reconnecting" state — no action needed — so it polls and reloads
+// itself the moment Vite is back (no blind 3s reload-into-the-same-error loop). Same branded
+// look as the backend-down interstitial; the chat widget is loaded so the user can still talk to
+// the agent if it doesn't recover on its own.
+const RECOVERING_HTML = `<!DOCTYPE html>
+<html lang="en"><head>
+<meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Reconnecting · Bloby</title>
+<style>
+  *{margin:0;padding:0;box-sizing:border-box}
+  body{font-family:system-ui,-apple-system,'Segoe UI',sans-serif;background:#0a0a0b;color:#e4e4e7;display:flex;align-items:center;justify-content:center;min-height:100dvh;padding:1.5rem;overflow:hidden}
+  .c{text-align:center;max-width:460px;width:100%;animation:fade-up .6s ease-out both}
+  .video-wrap{position:relative;width:200px;height:200px;margin:0 auto 1.4rem;display:flex;align-items:center;justify-content:center}
+  .video-wrap::before{content:'';position:absolute;inset:-20px;background:radial-gradient(circle,rgba(1,102,255,0.18) 0%,transparent 60%);filter:blur(20px);animation:glow 3s ease-in-out infinite}
+  .video-wrap video{position:relative;width:100%;height:100%;object-fit:contain;pointer-events:none;border-radius:50%}
+  h1{font-size:1.55rem;font-weight:700;margin-bottom:.6rem;background:linear-gradient(135deg,#0166FF,#009AFE,#4AEEFF);-webkit-background-clip:text;-webkit-text-fill-color:transparent;background-clip:text}
+  p{color:#a1a1aa;line-height:1.6;margin-bottom:.5rem;font-size:.95rem}
+  .lead{color:#e4e4e7;font-size:1rem}
+  .sub{font-size:.82rem;color:#71717a;display:inline-flex;align-items:center;gap:.5rem;background:#18181b;border:1px solid #27272a;border-radius:9999px;padding:.35rem .9rem;margin-top:1.1rem}
+  .sub .dot{width:8px;height:8px;border-radius:50%;background:linear-gradient(135deg,#0166FF,#009AFE);box-shadow:0 0 8px rgba(1,102,255,.6);animation:pulse 1.6s ease-in-out infinite}
+  .badge{display:block;font-size:.7rem;color:#52525b;margin-top:1.3rem}
+  @keyframes pulse{0%,100%{opacity:1;transform:scale(1)}50%{opacity:.45;transform:scale(.85)}}
+  @keyframes glow{0%,100%{opacity:.55;transform:scale(1)}50%{opacity:1;transform:scale(1.08)}}
+  @keyframes fade-up{0%{opacity:0;transform:translateY(12px)}100%{opacity:1;transform:translateY(0)}}
+</style></head>
+<body><div class="c">
+  <div class="video-wrap"><video autoplay loop muted playsinline>
+    <source src="/what-happened.webm" type="video/webm">
+    <source src="/what-happened.mp4" type="video/mp4">
+  </video></div>
+  <h1>Reconnecting…</h1>
+  <p class="lead">Hang tight — your app is coming back online.</p>
+  <p>This usually happens right after an update or a restart. No action needed; this page refreshes itself the moment it's ready.</p>
+  <div class="sub"><span class="dot"></span><span id="statusText">Reconnecting…</span></div>
+  <span class="badge">Powered by Bloby</span>
+</div>
+<script>
+(function(){
+  var attempt = 0, statusEl = document.getElementById('statusText');
+  function retry(){
+    attempt++;
+    fetch(location.href, { cache:'no-store', redirect:'follow' })
+      .then(function(r){ if (r.ok) location.reload(); else schedule(); })
+      .catch(schedule);
+  }
+  function schedule(){
+    statusEl.textContent = attempt > 8
+      ? 'Still reconnecting — you can ask your agent in the chat.'
+      : 'Reconnecting… (attempt ' + attempt + ')';
+    setTimeout(retry, Math.min(4000, 1200 + attempt * 300));
+  }
+  setTimeout(retry, 1800);
+})();
+</script>
+<script src="/bloby/widget.js"></script>
+</body></html>`;
 
 /** Interstitial shown (by the supervisor, not the workspace) when the workspace backend has
  *  crash-looped and given up. Replaces proxying the dashboard SPA to Vite — which would 503 on
@@ -356,10 +406,21 @@ export async function startSupervisor() {
   // The request handler is set up later via server.on('request')
   const server = http.createServer();
 
-  // Start Vite dev server — pass supervisor server so Vite attaches HMR WebSocket directly
+  // Start Vite dev server — pass supervisor server so Vite attaches HMR WebSocket directly.
+  // A Vite boot failure must NOT take down the supervisor (G1): chat is served independently and
+  // is the lifeline the user needs to ask the agent to fix things. On failure we fall back to a
+  // sentinel port — the dashboard proxy then serves the branded "Reconnecting" page (which polls
+  // and carries the chat widget) while chat, the worker API, channels, and the tunnel all still
+  // come up. Previously this throw reached the top-level catch → process.exit before chat listened.
   console.log('[supervisor] Starting Vite dev server...');
-  const vitePorts = await startViteDevServers(config.port, server);
-  console.log(`[supervisor] Vite ready — dashboard :${vitePorts.dashboard}`);
+  let vitePorts: { dashboard: number };
+  try {
+    vitePorts = await startViteDevServers(config.port, server);
+    console.log(`[supervisor] Vite ready — dashboard :${vitePorts.dashboard}`);
+  } catch (err) {
+    log.error(`Vite dev server failed to start — dashboard degraded, chat still available: ${err instanceof Error ? err.message : err}`);
+    vitePorts = { dashboard: -1 }; // sentinel → dashboard proxy serves RECOVERING_HTML
+  }
   console.log(`[supervisor] Upgrade listeners on server: ${server.listenerCount('upgrade')}`);
 
   // Ensure file storage dirs exist
@@ -454,36 +515,31 @@ export async function startSupervisor() {
     }
   }
 
-  const AUTH_EXEMPT_ROUTES = [
-    'POST /api/portal/login',
-    'GET /api/portal/login',
-    'POST /api/portal/validate-token',
-    'GET /api/portal/validate-token',
-    'GET /api/onboard/status',
+  // SECURITY MODEL — public allowlist (secure by default). When a portal password is set, EVERY
+  // /api/* route requires a valid Bearer token EXCEPT the ones listed here (the pre-login surface:
+  // login/onboarding/health/non-secret config). A new /api route is therefore GATED by default —
+  // it can only leak if someone explicitly adds it here. (Previously the gate skipped ALL GET/HEAD,
+  // so every data read — conversations, context, wallet, devices — was readable with no token.)
+  // Note: /api/agent/* (agent secret) and /api/channels/* are intercepted + returned BEFORE this
+  // gate, so they're unaffected; the channel entries below are belt-and-suspenders.
+  const PUBLIC_PRELOGIN_ROUTES = [
     'GET /api/health',
-    // NOTE: 'POST /api/onboard' is intentionally NOT blanket-exempt. It is gated in the
-    // request handler below: open on genuine first run (no portal_pass yet), token-required
-    // afterward. Re-onboard from the dashboard uses the internal x-internal WS path.
+    'GET /api/onboard/status',
+    'GET /api/settings',                 // secrets already stripped (worker denylist); widget + onboard read flags pre-login
     'GET /api/push/vapid-public-key',
-    'GET /api/push/status',
-    'POST /api/auth/claude/start',
-    'POST /api/auth/claude/exchange',
-    'GET /api/auth/claude/status',
-    'POST /api/auth/codex/start',
-    'POST /api/auth/codex/cancel',
-    'GET /api/auth/codex/status',
-    'GET /api/auth/pi/providers',
-    'GET /api/auth/pi/status',
-    'POST /api/auth/pi/test',
-    'POST /api/auth/pi/save',
-    'DELETE /api/auth/pi',
-    'POST /api/auth/pi/completion',
-    'POST /api/portal/totp/setup',
-    'POST /api/portal/totp/verify-setup',
-    'POST /api/portal/totp/disable',
-    'GET /api/portal/totp/status',
+    'GET /api/portal/login',
+    'POST /api/portal/login',
+    'GET /api/portal/validate-token',
+    'POST /api/portal/validate-token',
     'GET /api/portal/login/totp',
-    'POST /api/portal/devices/revoke',
+    'GET /api/portal/totp/status',
+    'POST /api/portal/totp/setup',        // self-protected in-handler (Bearer OR password OR first-run)
+    'POST /api/portal/totp/verify-setup', // self-protected in-handler
+    'POST /api/portal/totp/disable',      // self-protected (requires password + valid code)
+    'POST /api/portal/verify-password',   // verifies the password itself — cannot require a token
+    // NOTE: 'POST /api/onboard' is NOT public — gated below: open only on genuine first run
+    // (no portal_pass yet), token-required afterward. Dashboard re-onboard uses the x-internal WS path.
+    // Channel onboarding (also intercepted earlier; kept for completeness/safety):
     'GET /api/channels/status',
     'GET /api/channels/whatsapp/qr',
     'GET /api/channels/whatsapp/qr-page',
@@ -496,12 +552,23 @@ export async function startSupervisor() {
     'POST /api/channels/send',
     'POST /api/channels/alexa/handle',
   ];
+  // Method-specific public PREFIXES — onboarding namespaces with sub-paths / params that carry no
+  // private chat data: provider OAuth setup/status (all of /api/auth/*), and handle availability
+  // (GET /api/handle/* only — handle register/change are POSTs and stay gated).
+  const PUBLIC_PRELOGIN_PREFIXES = [
+    'POST /api/auth/',
+    'GET /api/auth/',
+    'DELETE /api/auth/',
+    'GET /api/handle/',
+  ];
 
-  function isExemptRoute(method: string, url: string): boolean {
+  function isPublicRoute(method: string, url: string): boolean {
+    const m = method === 'HEAD' ? 'GET' : method; // a HEAD to a public GET route is public
     const path = url.split('?')[0];
-    return AUTH_EXEMPT_ROUTES.some((r) => {
-      const [m, p] = r.split(' ');
-      return method === m && path === p;
+    if (PUBLIC_PRELOGIN_ROUTES.includes(`${m} ${path}`)) return true;
+    return PUBLIC_PRELOGIN_PREFIXES.some((r) => {
+      const sp = r.indexOf(' ');
+      return m === r.slice(0, sp) && path.startsWith(r.slice(sp + 1));
     });
   }
 
@@ -1678,9 +1745,11 @@ mint();
       const isInternal = req.headers['x-internal'] === internalSecret;
 
       if (!isInternal) {
-        // Auth check for mutation routes (POST/PUT/DELETE) — GET/HEAD are read-only, skip auth
+        // Require a token for EVERY /api route except the public pre-login allowlist. This now
+        // covers GET data reads (conversations, context, wallet, devices, push status) that
+        // previously skipped auth and leaked over the public relay.
         const method = req.method || 'GET';
-        if (method !== 'GET' && method !== 'HEAD' && !isExemptRoute(method, req.url || '')) {
+        if (!isPublicRoute(method, req.url || '')) {
           // POST /api/onboard is open only on genuine first run (no portal_pass yet). Read the
           // setting DIRECTLY rather than the 30s-cached isAuthRequired() so the gate closes the
           // instant onboarding sets a password — no stale-cache window for a takeover. The
@@ -1798,6 +1867,14 @@ mint();
       return;
     }
 
+    // Vite failed to boot (sentinel port) → serve the recovering page directly instead of
+    // proxying to a dead port. Chat (/bloby/*) is served earlier, so the lifeline stays up.
+    if (vitePorts.dashboard < 0) {
+      res.writeHead(503, { 'Content-Type': 'text/html', 'Cache-Control': 'no-store, no-cache, must-revalidate' });
+      res.end(RECOVERING_HTML);
+      return;
+    }
+
     // Everything else → proxy to dashboard Vite dev server
     console.log(`[supervisor] → dashboard Vite :${vitePorts.dashboard} | ${req.method} ${(req.url || '').split('?')[0]}`);
     const GUARD_TAG = '<script defer src="/bloby/workspace-guard.js"></script>';
@@ -2738,14 +2815,36 @@ mint();
     }, 1000);
   }
 
-  // Watch backend/ for code changes
-  const backendWatcher = fs.watch(backendDir, { recursive: true }, (_event, filename) => {
-    if (!filename || !filename.match(/\.(ts|js|json)$/)) return;
-    scheduleBackendRestart(`Backend file changed: ${filename}`);
-  });
+  // Self-healing file watchers. Two failure modes the audit flagged, both of which would hurt G3
+  // (auto-heal) or G1 (chat): (a) fs.watch throws synchronously if its target is missing — at boot
+  // that reached the top-level catch → process.exit before chat listened; (b) a watcher 'error'
+  // event (EMFILE under load, the watched inode removed during a workspace swap) has no listener,
+  // so it crashes the supervisor AND leaves a silently-dead watcher (auto-heal stops with no
+  // signal). Fix: ensure the dir exists, attach an 'error' listener, and re-arm with backoff.
+  let backendWatcher: fs.FSWatcher | null = null;
+  let workspaceWatcher: fs.FSWatcher | null = null;
+
+  function armBackendWatcher() {
+    try {
+      fs.mkdirSync(backendDir, { recursive: true }); // fs.watch throws if the target is missing
+      const w = fs.watch(backendDir, { recursive: true }, (_event, filename) => {
+        if (!filename || !filename.toString().match(/\.(ts|js|json)$/)) return;
+        scheduleBackendRestart(`Backend file changed: ${filename}`);
+      });
+      w.on('error', (err: any) => {
+        log.warn(`[watcher] backend watcher error: ${err?.message || err} — re-arming in 2s`);
+        try { w.close(); } catch {}
+        backendWatcher = null;
+        setTimeout(armBackendWatcher, 2000);
+      });
+      backendWatcher = w;
+    } catch (err: any) {
+      log.warn(`[watcher] backend watcher failed to arm: ${err?.message || err} — retry in 5s`);
+      setTimeout(armBackendWatcher, 5000);
+    }
+  }
 
-  // Watch workspace root for .env, dependency, and .restart/.update changes
-  const workspaceWatcher = fs.watch(workspaceDir, (_event, filename) => {
+  function onWorkspaceChange(_event: fs.WatchEventType, filename: string | Buffer | null) {
     if (!filename) return;
     if (filename === '.env') {
       scheduleBackendRestart('.env changed');
@@ -2782,7 +2881,26 @@ mint();
         runDeferredUpdate();
       }
     }
-  });
+  }
+
+  function armWorkspaceWatcher() {
+    try {
+      const w = fs.watch(workspaceDir, onWorkspaceChange);
+      w.on('error', (err: any) => {
+        log.warn(`[watcher] workspace watcher error: ${err?.message || err} — re-arming in 2s`);
+        try { w.close(); } catch {}
+        workspaceWatcher = null;
+        setTimeout(armWorkspaceWatcher, 2000);
+      });
+      workspaceWatcher = w;
+    } catch (err: any) {
+      log.warn(`[watcher] workspace watcher failed to arm: ${err?.message || err} — retry in 5s`);
+      setTimeout(armWorkspaceWatcher, 5000);
+    }
+  }
+
+  armBackendWatcher();
+  armWorkspaceWatcher();
 
   // Tunnel
   let tunnelUrl: string | null = null;
@@ -2944,8 +3062,8 @@ mint();
     log.info('Shutting down...');
     await channelManager.disconnectAll();
     stopScheduler();
-    backendWatcher.close();
-    workspaceWatcher.close();
+    backendWatcher?.close();
+    workspaceWatcher?.close();
     if (backendRestartTimer) clearTimeout(backendRestartTimer);
     if (watchdogInterval) clearInterval(watchdogInterval);
     stopHeartbeat();