bloby-bot 0.70.7 → 0.70.9

package/supervisor/harnesses/pi/index.ts

@@ -6,9 +6,11 @@
  * matches the Claude harness so the dispatcher needs no provider-specific
  * code.
  *
- * Phase 1 scope: live conversation + one-shot text only (no tools). The
+ * Live conversations run the full tool loop (session.ts); one-shots are still
+ * tool-less (audit Phase C will route them through createPiSession). The
  * non-blocking feel — user keeps typing while the model is still answering —
- * comes from the same `AsyncQueue` pattern Claude uses; see `async-queue.ts`.
+ * comes from the same `AsyncQueue` pattern Claude uses (one message per turn);
+ * see `async-queue.ts` and PI-PARITY-AUDIT-2026-06-11.md.
  */
 import { log } from '../../../shared/logger.js';
 import { WORKSPACE_DIR } from '../../../shared/paths.js';
@@ -26,8 +28,8 @@ export type { RecentMessage, AgentAttachment };
 
 import { buildSkillsIndex } from '../skills.js';
 import { createAsyncQueue, type AsyncQueue } from './async-queue.js';
-import { createPiSession, type PiSessionEvent } from './session.js';
-import { getPiSubProvider } from './sub-providers.js';
+import { createPiSession, type PiSessionEvent, type PiSessionAuth } from './session.js';
+import { getPiSubProvider, getCatalogModel } from './sub-providers.js';
 import { readPiAuth } from './auth-storage.js';
 import { streamProvider } from './providers/stream.js';
 import type { PiMessage } from './providers/types.js';
@@ -41,11 +43,50 @@ interface LiveConversation {
   abortController: AbortController;
   onMessage: (type: string, data: any) => void;
   busy: boolean;
+  /** Messages pushed but not yet completed (1 turn-complete per message) — mirrors
+   *  claude.ts pendingCount. idle:true on turn-complete only when this hits 0, so
+   *  the supervisor's session recycling never fires with a message still queued. */
+  pendingCount: number;
+  /** 60ms micro-batcher for bot:token — collapses per-delta WS frame floods. */
+  batcher: TokenBatcher;
   loopDone: Promise<void> | null;
 }
 
 const liveConversations = new Map<string, LiveConversation>();
 
+/**
+ * Micro-batch streamed deltas into ~60ms bot:token frames (house standard
+ * from the codex parity pass — an order-of-magnitude WS frame reduction with
+ * no visible change in streaming feel). Callers MUST flush() before emitting
+ * any non-token event so ordering and the streamed-text == bot:response
+ * contract are preserved; discard() on teardown drops post-abort stragglers.
+ */
+interface TokenBatcher {
+  add(delta: string): void;
+  flush(): void;
+  discard(): void;
+}
+
+function createTokenBatcher(emit: (text: string) => void, intervalMs = 60): TokenBatcher {
+  let buf = '';
+  let timer: NodeJS.Timeout | null = null;
+  const flush = () => {
+    if (timer) { clearTimeout(timer); timer = null; }
+    if (buf) { const out = buf; buf = ''; emit(out); }
+  };
+  return {
+    add(delta: string) {
+      buf += delta;
+      if (!timer) timer = setTimeout(flush, intervalMs);
+    },
+    flush,
+    discard() {
+      if (timer) { clearTimeout(timer); timer = null; }
+      buf = '';
+    },
+  };
+}
+
 export function hasConversation(conversationId: string): boolean {
   return liveConversations.has(conversationId);
 }
@@ -100,7 +141,7 @@ You are running in a streaming chat where the user can keep typing while you wor
 
 - Before kicking off a multi-step task, say one short line acknowledging it ("On it, looking at the widget now.").
 - Between tool calls on long tasks, drop a brief progress note ("Found the file, checking the layout next.") so the user knows you're still working.
-- If a new user message arrives while you're mid-task, you'll see it as a fresh user-role message in the conversation history. Answer it briefly inline, mention you're still working on the main task, then continue.
+- Messages the user sends while you're working are queued and delivered to you one at a time after the current task finishes — each gets its own answer, so never assume you missed one.
 - Final answers should be concise and concrete.`;
 
 async function buildSystemPrompt(
@@ -133,29 +174,56 @@ async function buildSystemPrompt(
   return systemPrompt;
 }
 
-/** Resolve sub-provider, base url, api key, model id from saved pi-auth.json. */
-function resolveAuth(): {
-  ok: true;
-  flavor: ReturnType<typeof getPiSubProvider> extends undefined ? never : NonNullable<ReturnType<typeof getPiSubProvider>>['flavor'];
-  modelId: string;
-  baseUrl: string;
-  apiKey: string;
-} | { ok: false; error: string } {
-  const auth = readPiAuth();
-  if (!auth) return { ok: false, error: 'Bloby provider is not configured. Run the onboarding wizard.' };
-  const sub = getPiSubProvider(auth.subProvider);
-  if (!sub) return { ok: false, error: `Unknown sub-provider in pi-auth.json: ${auth.subProvider}` };
-  const baseUrl = (auth.baseUrl || sub.baseUrl || '').replace(/\/+$/, '');
+/**
+ * Resolve the full provider auth bundle from saved pi-auth.json: sub-provider
+ * flavor, base url, api key, model id, plus catalog metadata (per-model output
+ * cap, context window) and the sub-provider's max-tokens field quirk.
+ *
+ * Called at session/one-shot start AND re-called on every live provider round
+ * via the session's getAuth thunk — so fixing a revoked key or switching
+ * models in the wizard heals a live conversation on its very next round.
+ */
+function resolveAuth(): { ok: true; auth: PiSessionAuth } | { ok: false; error: string } {
+  const saved = readPiAuth();
+  if (!saved) return { ok: false, error: 'Bloby provider is not configured. Run the onboarding wizard.' };
+  const sub = getPiSubProvider(saved.subProvider);
+  if (!sub) return { ok: false, error: `Unknown sub-provider in pi-auth.json: ${saved.subProvider}` };
+  const baseUrl = (saved.baseUrl || sub.baseUrl || '').replace(/\/+$/, '');
   if (!baseUrl) return { ok: false, error: `No base URL configured for ${sub.id}` };
-  const modelId = auth.modelId || sub.defaultModel || '';
+  const modelId = saved.modelId || sub.defaultModel || '';
   if (!modelId) return { ok: false, error: `No model selected for ${sub.id}` };
-  if (sub.needsApiKey && !auth.apiKey) return { ok: false, error: `Missing API key for ${sub.id}` };
+  if (sub.needsApiKey && !saved.apiKey) return { ok: false, error: `Missing API key for ${sub.id}` };
+  const catalog = getCatalogModel(sub.id, modelId);
+
+  // Effective window reported to the supervisor's recycler. Two corrections
+  // over the raw catalog figure (audit review F1):
+  // 1. Anthropic catalog windows can reflect the 1M-context beta; without the
+  //    beta header (we don't send it) the real window is 200k.
+  // 2. Since every request reserves max_tokens of output budget, providers
+  //    enforce input + max_tokens <= window — the usable INPUT ceiling is
+  //    window - maxOutputTokens. Reporting the raw window would put the 70%
+  //    recycle threshold ABOVE that ceiling (e.g. 140k > 200k-64k=136k on
+  //    claude-haiku-4-5) and the recycler could never preempt the wall.
+  let contextWindow = catalog?.contextWindow;
+  if (contextWindow && sub.flavor === 'anthropic-messages') {
+    contextWindow = Math.min(contextWindow, 200_000);
+  }
+  if (contextWindow && catalog?.maxOutputTokens) {
+    contextWindow = Math.max(0, contextWindow - catalog.maxOutputTokens);
+  }
+
   return {
     ok: true,
-    flavor: sub.flavor,
-    modelId,
-    baseUrl,
-    apiKey: auth.apiKey || '',
+    auth: {
+      flavor: sub.flavor,
+      modelId,
+      baseUrl,
+      apiKey: saved.apiKey || '',
+      maxOutputTokens: catalog?.maxOutputTokens,
+      maxTokensField: sub.maxTokensField,
+      includeStreamUsage: sub.noStreamUsage ? false : undefined,
+      contextWindow,
+    },
   };
 }
 
@@ -208,14 +276,14 @@ export async function startConversation(
     endConversation(conversationId);
   }
 
-  const auth = resolveAuth();
-  if (!auth.ok) {
-    log.warn(`[pi/conversation] Cannot start: ${auth.error}`);
-    onMessage('bot:error', { conversationId, error: auth.error });
+  const resolved = resolveAuth();
+  if (!resolved.ok) {
+    log.warn(`[pi/conversation] Cannot start: ${resolved.error}`);
+    onMessage('bot:error', { conversationId, error: resolved.error });
     return false;
   }
 
-  log.info(`[pi/conversation] Sub-provider: ${auth.flavor} · model: ${auth.modelId}`);
+  log.info(`[pi/conversation] Sub-provider: ${resolved.auth.flavor} · model: ${resolved.auth.modelId}`);
 
   const systemPrompt = await buildSystemPrompt(names, recentMessages);
   log.info(`[pi/conversation] System prompt: ${systemPrompt.length} chars`);
@@ -229,15 +297,24 @@ export async function startConversation(
     abortController,
     onMessage,
     busy: false,
+    pendingCount: 0,
+    batcher: createTokenBatcher((text) => onMessage('bot:token', { conversationId, token: text })),
     loopDone: null,
   };
   liveConversations.set(conversationId, conv);
 
+  // Re-resolve auth on every provider round so a key/model fix in the wizard
+  // applies to the next round with full history intact (audit D6-8). Falls
+  // back to the last good bundle if pi-auth.json turns unreadable mid-session.
+  let currentAuth: PiSessionAuth = resolved.auth;
+  const getAuth = (): PiSessionAuth => {
+    const fresh = resolveAuth();
+    if (fresh.ok) currentAuth = fresh.auth;
+    return currentAuth;
+  };
+
   const session = createPiSession({
-    flavor: auth.flavor,
-    modelId: auth.modelId,
-    baseUrl: auth.baseUrl,
-    apiKey: auth.apiKey,
+    getAuth,
     systemPrompt,
     tools: toolDefsForProvider(),
     cwd: WORKSPACE_DIR,
@@ -258,6 +335,10 @@ export async function startConversation(
       }
     } finally {
       log.info(`[pi/conversation] Cleaning up conversation ${conversationId}`);
+      // Drop any unflushed token stragglers — at teardown the turn is either
+      // complete (already flushed before turn_complete) or aborted (tokens
+      // from an aborted stream must not surface after the fact).
+      conv.batcher.discard();
       liveConversations.delete(conversationId);
       onMessage('bot:conversation-ended', { conversationId });
     }
@@ -268,28 +349,74 @@ export async function startConversation(
 
 /** Map session-level events back into bloby's `bot:*` vocabulary. */
 function translateAndEmit(conv: LiveConversation, evt: PiSessionEvent) {
+  if (evt.type === 'text_delta') {
+    conv.batcher.add(evt.delta);
+    return;
+  }
+  // Any non-token event flushes the batch first — ordering (tokens before the
+  // tool chip / final response) and the streamed-text == bot:response
+  // invariant both depend on it.
+  conv.batcher.flush();
+
   switch (evt.type) {
     case 'turn_started':
       // No bloby event for this — `bot:typing` is already emitted by pushMessage().
       break;
-    case 'text_delta':
-      conv.onMessage('bot:token', { conversationId: conv.id, token: evt.delta });
-      break;
     case 'text_end':
       conv.onMessage('bot:response', { conversationId: conv.id, content: evt.text });
       break;
     case 'tool_use':
       conv.onMessage('bot:tool', { conversationId: conv.id, name: evt.name, input: evt.input });
       break;
-    case 'turn_complete':
-      conv.busy = false;
-      conv.onMessage('bot:turn-complete', { conversationId: conv.id, usedFileTools: evt.usedFileTools });
-      log.info(`[pi/conversation] ──── TURN COMPLETE ────  busy=false`);
+    case 'tool_result':
+      // Not surfaced yet (Phase D: translate to a bot:tool progress pulse).
       break;
-    case 'error':
+    case 'turn_complete': {
       conv.busy = false;
-      conv.onMessage('bot:error', { conversationId: conv.id, error: evt.error });
+      // One turn-complete per pushed message (D1-1 restored that invariant);
+      // idle gates the supervisor's proactive recycling so it never fires with
+      // a message still queued — claude.ts pendingCount semantics exactly.
+      conv.pendingCount = Math.max(0, conv.pendingCount - 1);
+      const idle = conv.pendingCount === 0;
+      // Prompt occupancy of the last provider round — input + cache reads +
+      // cache writes, exactly claude.ts's contextTokens math. Output tokens
+      // are NOT added (claude doesn't either; the recycler's 70% threshold
+      // absorbs the next-turn growth).
+      const contextTokens = evt.usage
+        ? (evt.usage.inputTokens || 0) + (evt.usage.cacheReadTokens || 0) + (evt.usage.cacheCreationTokens || 0)
+        : 0;
+      conv.onMessage('bot:turn-complete', {
+        conversationId: conv.id,
+        usedFileTools: evt.usedFileTools,
+        contextTokens,
+        contextWindow: evt.contextWindow || 0,
+        idle,
+      });
+      log.info(`[pi/conversation] ──── TURN COMPLETE ────  busy=false ctx=${contextTokens}/${evt.contextWindow || 'n/a'} idle=${idle}`);
+      break;
+    }
+    case 'error': {
+      // busy is NOT cleared here (audit D1-9): turn_complete is the single
+      // busy=false site and the session guarantees it on every non-aborted
+      // turn; an aborted/fatal path is torn down via bot:conversation-ended.
+      const fatal = evt.kind === 'auth' || evt.kind === 'context-overflow';
+      const remedy = evt.kind === 'context-overflow'
+        ? ' Starting a fresh session — send your message again to continue.'
+        : evt.kind === 'auth'
+          ? ' I\'ll reconnect with the new key as soon as it\'s saved.'
+          : '';
+      conv.onMessage('bot:error', { conversationId: conv.id, error: `${evt.error}${remedy}` });
+      if (fatal) {
+        // Unrecoverable for this session (audit D6-4): an over-window history
+        // would re-fail on every future turn, and a dead key has no business
+        // keeping the loop alive. Tear down — the finally emits
+        // bot:conversation-ended (routes + flags clear) and the next user
+        // message cold-starts a fresh session with re-injected history.
+        log.warn(`[pi/conversation] Fatal provider error (${evt.kind}) — recycling session ${conv.id}`);
+        endConversation(conv.id);
+      }
       break;
+    }
   }
 }
 
@@ -305,8 +432,9 @@ export function pushMessage(
     return false;
   }
 
-  log.info(`[pi/conversation] ──── PUSH MESSAGE ──── busy=${conv.busy}`);
+  log.info(`[pi/conversation] ──── PUSH MESSAGE ──── busy=${conv.busy} pending=${conv.pendingCount + 1}`);
   conv.busy = true;
+  conv.pendingCount += 1;
   conv.inputQueue.push(buildUserMessage(content, attachments, savedFiles));
   conv.onMessage('bot:typing', { conversationId });
   return true;
@@ -317,6 +445,7 @@ export function endConversation(conversationId: string): void {
   if (!conv) return;
 
   log.info(`[pi/conversation] ──── ENDING CONVERSATION ${conversationId} ────`);
+  conv.batcher.discard();
   conv.inputQueue.end();
   conv.abortController.abort();
   liveConversations.delete(conversationId);
@@ -373,21 +502,21 @@ export async function startBlobyAgentQuery(
   supportPrompt?: string,
   _maxTurns?: number,
 ): Promise<void> {
-  const auth = resolveAuth();
-  if (!auth.ok) {
-    onMessage('bot:error', { conversationId, error: auth.error });
+  const resolved = resolveAuth();
+  if (!resolved.ok) {
+    onMessage('bot:error', { conversationId, error: resolved.error });
+    // bot:done frees the caller's slot (WhatsApp activeAgents / scheduler) — without it
+    // each distinct customer hitting this path pins one of the 5 concurrent slots until
+    // supervisor restart (audit D3-2; mirrors claude.ts:620).
+    onMessage('bot:done', { conversationId, usedFileTools: false });
     return;
   }
+  const auth = resolved.auth;
 
-  const abortController = new AbortController();
-  activeQueries.set(conversationId, abortController);
-  // Hard watchdog — a hung provider stream would otherwise pin this query forever (finally never
-  // runs, bot:done never fires). Abort after 5 min; cleared in the finally on normal completion.
-  const watchdog = setTimeout(() => {
-    log.warn(`[pi/bloby-agent] one-shot timed out (5m) — aborting conv=${conversationId}`);
-    abortController.abort();
-  }, 300_000);
-
+  // Build the prompt BEFORE registering in activeQueries / arming the watchdog
+  // (claude.ts ordering): if anything in here ever rejected after registration,
+  // the entry would leak forever — anyOneShotActive() stuck true defers every
+  // backend restart/self-update, and the caller's slot never frees.
   let systemPrompt: string;
   if (supportPrompt) {
     systemPrompt = supportPrompt;
@@ -398,11 +527,23 @@ export async function startBlobyAgentQuery(
   const messages: PiMessage[] = recentToPiMessages(recentMessages);
   messages.push(buildUserMessage(prompt, attachments, savedFiles));
 
+  const abortController = new AbortController();
+  activeQueries.set(conversationId, abortController);
+  // Hard watchdog — a hung provider stream would otherwise pin this query forever (finally never
+  // runs, bot:done never fires). Abort after 5 min; cleared in the finally on normal completion.
+  const watchdog = setTimeout(() => {
+    log.warn(`[pi/bloby-agent] one-shot timed out (5m) — aborting conv=${conversationId}`);
+    abortController.abort();
+  }, 300_000);
+
   onMessage('bot:typing', { conversationId });
 
   let accumulated = '';
   const usedTools = new Set<string>();
-  let errored = false;
+  // Errors are stashed, not emitted inline — at the end, partial text wins
+  // over the error bubble (audit D3-5/D6-2, claude.ts:730-737 precedence).
+  let errorMsg: string | null = null;
+  const batcher = createTokenBatcher((text) => onMessage('bot:token', { conversationId, token: text }));
 
   try {
     const stream = streamProvider(auth.flavor, {
@@ -411,6 +552,9 @@ export async function startBlobyAgentQuery(
       apiKey: auth.apiKey,
       systemPrompt,
       messages,
+      maxOutputTokens: auth.maxOutputTokens,
+      maxTokensField: auth.maxTokensField,
+      includeStreamUsage: auth.includeStreamUsage,
       signal: abortController.signal,
     });
 
@@ -419,30 +563,46 @@ export async function startBlobyAgentQuery(
       switch (evt.type) {
         case 'text_delta':
           accumulated += evt.delta;
-          onMessage('bot:token', { conversationId, token: evt.delta });
+          batcher.add(evt.delta);
           break;
         case 'text_end':
+          batcher.flush();
           accumulated = evt.text;
           break;
         case 'tool_use':
+          batcher.flush();
           usedTools.add(evt.name);
           onMessage('bot:tool', { conversationId, name: evt.name, input: evt.input });
           break;
         case 'error':
-          errored = true;
-          onMessage('bot:error', { conversationId, error: evt.error });
+          batcher.flush();
+          errorMsg = evt.error;
           break;
       }
     }
-    if (accumulated && !errored) {
-      onMessage('bot:response', { conversationId, content: accumulated });
+    // Abort guard (audit D3-8): a watchdog-aborted run must not surface a
+    // truncated reply — a stopped pulse could otherwise still fire <Message>
+    // pushes with half-finished content.
+    if (!abortController.signal.aborted) {
+      batcher.flush();
+      if (accumulated) {
+        onMessage('bot:response', { conversationId, content: accumulated });
+      } else if (errorMsg) {
+        onMessage('bot:error', { conversationId, error: errorMsg });
+      }
     }
   } catch (err: any) {
     if (!abortController.signal.aborted) {
       log.warn(`[pi/bloby-agent] one-shot error: ${err?.message || err}`);
-      onMessage('bot:error', { conversationId, error: err?.message || String(err) });
+      batcher.flush();
+      if (accumulated) {
+        onMessage('bot:response', { conversationId, content: accumulated });
+      } else {
+        onMessage('bot:error', { conversationId, error: err?.message || String(err) });
+      }
     }
   } finally {
+    batcher.discard();
     clearTimeout(watchdog);
     activeQueries.delete(conversationId);
     const FILE_TOOL_NAMES = ['Write', 'Edit', 'write', 'edit'];
@@ -462,8 +622,9 @@ export function stopBlobyAgentQuery(conversationId: string): void {
 // ── Workspace agent endpoint (POST /api/agent/query) ──────────────────────
 
 export async function runAgentQuery(req: AgentQueryRequest): Promise<AgentQueryResult> {
-  const auth = resolveAuth();
-  if (!auth.ok) return { ok: false, error: auth.error };
+  const resolved = resolveAuth();
+  if (!resolved.ok) return { ok: false, error: resolved.error };
+  const auth = resolved.auth;
 
   const timeout = Math.min(Math.max(req.timeout || 120_000, 5_000), 300_000);
   const abortController = new AbortController();
@@ -487,6 +648,9 @@ export async function runAgentQuery(req: AgentQueryRequest): Promise<AgentQueryR
       apiKey: auth.apiKey,
       systemPrompt,
       messages,
+      maxOutputTokens: auth.maxOutputTokens,
+      maxTokensField: auth.maxTokensField,
+      includeStreamUsage: auth.includeStreamUsage,
       signal: abortController.signal,
     });
 
@@ -517,7 +681,10 @@ export async function runAgentQuery(req: AgentQueryRequest): Promise<AgentQueryR
     clearTimeout(timeoutHandle);
   }
 
-  if (errored) return { ok: false, error: errorMsg || 'Agent query failed' };
+  // Partial-text precedence (claude parity, audit D6-2): if the model streamed
+  // anything before failing, return it as a successful (truncated) response —
+  // claude's runAgentQuery only reports the error when nothing streamed.
+  if (errored && !fullText) return { ok: false, error: errorMsg || 'Agent query failed' };
 
   const usedFileTools = ['Write', 'Edit', 'write', 'edit'].some((t) => usedTools.has(t));
   return { ok: true, response: fullText, toolsUsed: Array.from(usedTools), usedFileTools };