bosun 0.28.0 → 0.28.1

package/.env.example

@@ -77,7 +77,21 @@ TELEGRAM_MINIAPP_ENABLED=false
 # Full public URL override (takes precedence over host/port auto-detection).
 # Use when you have a reverse proxy or tunnel with HTTPS.
 # TELEGRAM_UI_BASE_URL=https://your-public-ui.example.com
-# Skip Telegram initData authentication (for local browser testing only).
+# ╔══════════════════════════════════════════════════════════════════════╗
+# ║ ⛔ DANGER — SECURITY CRITICAL                                       ║
+# ║                                                                      ║
+# ║ Setting ALLOW_UNSAFE=true disables ALL authentication on the UI.     ║
+# ║ Anyone who discovers your URL can:                                   ║
+# ║  • Read/modify your tasks and settings                               ║
+# ║  • Send commands to agents that execute code on YOUR machine         ║
+# ║  • Access secrets, API keys, and environment variables               ║
+# ║                                                                      ║
+# ║ Combined with TELEGRAM_UI_TUNNEL=auto (Cloudflare tunnel), your UI   ║
+# ║ gets a PUBLIC internet URL — meaning ANYONE ON THE INTERNET can      ║
+# ║ find and control your machine.                                       ║
+# ║                                                                      ║
+# ║ ONLY enable this for localhost-only debugging with tunnel DISABLED.  ║
+# ╚══════════════════════════════════════════════════════════════════════╝
 # TELEGRAM_UI_ALLOW_UNSAFE=false
 # Max age in seconds for initData auth tokens (default: 86400 = 24h)
 # TELEGRAM_UI_AUTH_MAX_AGE_SEC=86400

package/README.md

@@ -1,4 +1,7 @@
-# ![virtengine bosun ai agent](site/logo.png) bosun
+<p align="center">
+  <img src="site/logo.png" alt="virtengine bosun ai agent" width="150" />
+</p>
+<h1 align="center">bosun</h1>
 
 Bosun is a production-grade supervisor for AI coding agents. It routes tasks across executors, automates PR lifecycles, and keeps operators in control through Telegram, the Mini App dashboard, and optional WhatsApp notifications.
 

package/agent-pool.mjs

@@ -71,6 +71,20 @@ function envFlagEnabled(value) {
   return ["1", "true", "yes", "on", "y"].includes(raw);
 }
 
+/**
+ * Extract a human-readable task heading from the prompt built by _buildTaskPrompt.
+ * The first line is "# TASKID — Task Title"; we return the title portion only.
+ * Falls back to the raw first line if no em-dash separator is found.
+ * @param {string} prompt
+ * @returns {string}
+ */
+function extractTaskHeading(prompt) {
+  const firstLine = String(prompt || "").split(/\r?\n/)[0].replace(/^#+\s*/, "").trim();
+  const dashIdx = firstLine.indexOf(" \u2014 ");
+  const title = dashIdx !== -1 ? firstLine.slice(dashIdx + 3).trim() : firstLine;
+  return title || "Execute Task";
+}
+
 function shouldAutoApproveCopilotPermissions() {
   const raw = process.env.COPILOT_AUTO_APPROVE_PERMISSIONS;
   if (raw === undefined || raw === null || String(raw).trim() === "") {
@@ -870,7 +884,7 @@ async function launchCopilotThread(prompt, cwd, timeoutMs, extra = {}) {
     }
 
     const formattedPrompt =
-      `# YOUR TASK — EXECUTE NOW\n\n${prompt}\n\n---\n` +
+      `# ${extractTaskHeading(prompt)}\n\n${prompt}\n\n---\n` +
       'Do NOT respond with "Ready" or ask what to do. EXECUTE this task.';
 
     const hasSend = typeof session.send === "function";
@@ -1184,7 +1198,7 @@ async function launchClaudeThread(prompt, cwd, timeoutMs, extra = {}) {
     const msgQueue = createMessageQueue();
 
     const formattedPrompt =
-      `# YOUR TASK — EXECUTE NOW\n\n${prompt}\n\n---\n` +
+      `# ${extractTaskHeading(prompt)}\n\n${prompt}\n\n---\n` +
       'Do NOT respond with "Ready" or ask what to do. EXECUTE this task.';
 
     msgQueue.push(makeUserMessage(formattedPrompt));

package/agent-work-analyzer.mjs

@@ -0,0 +1,419 @@
+/**
+ * Agent Work Stream Analyzer
+ *
+ * Tails agent-work-stream.jsonl in real-time, detects patterns, and emits alerts
+ * for bosun to consume.
+ *
+ * Features:
+ * - Error loop detection (same error N+ times)
+ * - Tool loop detection (same tool called rapidly)
+ * - Stuck agent detection (no progress for X minutes)
+ * - Context window exhaustion prediction
+ * - Cost anomaly detection (unusually expensive sessions)
+ */
+
+import { readFile, writeFile, appendFile, stat, watch } from "fs/promises";
+import { createReadStream, existsSync } from "fs";
+import { createInterface } from "readline";
+import { resolve, dirname } from "path";
+import { fileURLToPath } from "url";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const repoRoot = resolve(__dirname, "../..");
+
+// ── Configuration ───────────────────────────────────────────────────────────
+const AGENT_WORK_STREAM = resolve(
+  repoRoot,
+  ".cache/agent-work-logs/agent-work-stream.jsonl",
+);
+const ALERTS_LOG = resolve(
+  repoRoot,
+  ".cache/agent-work-logs/agent-alerts.jsonl",
+);
+
+const ERROR_LOOP_THRESHOLD = Number(
+  process.env.AGENT_ERROR_LOOP_THRESHOLD || "4",
+);
+const ERROR_LOOP_WINDOW_MS = 10 * 60 * 1000; // 10 minutes
+
+const TOOL_LOOP_THRESHOLD = Number(
+  process.env.AGENT_TOOL_LOOP_THRESHOLD || "10",
+);
+const TOOL_LOOP_WINDOW_MS = 60 * 1000; // 1 minute
+
+const STUCK_DETECTION_THRESHOLD_MS = Number(
+  process.env.AGENT_STUCK_THRESHOLD_MS || String(5 * 60 * 1000),
+); // 5 minutes
+
+const COST_ANOMALY_THRESHOLD_USD = Number(
+  process.env.AGENT_COST_ANOMALY_THRESHOLD || "1.0",
+);
+
+// ── State Tracking ──────────────────────────────────────────────────────────
+
+// Active session state: sessionId -> { ... }
+const activeSessions = new Map();
+
+// Alert cooldowns: "alert_type:attempt_id" -> timestamp
+const alertCooldowns = new Map();
+const ALERT_COOLDOWN_MS = 5 * 60 * 1000; // 5 minutes between same alert
+
+// ── Log Tailing ─────────────────────────────────────────────────────────────
+
+let filePosition = 0;
+let isRunning = false;
+
+/**
+ * Start the analyzer loop
+ */
+export async function startAnalyzer() {
+  if (isRunning) return;
+  isRunning = true;
+
+  console.log("[agent-work-analyzer] Starting...");
+
+  // Ensure alerts log exists
+  if (!existsSync(ALERTS_LOG)) {
+    await writeFile(ALERTS_LOG, "");
+  }
+
+  // Initial read of existing log
+  if (existsSync(AGENT_WORK_STREAM)) {
+    filePosition = await processLogFile(filePosition);
+  }
+
+  // Watch for changes
+  console.log(`[agent-work-analyzer] Watching: ${AGENT_WORK_STREAM}`);
+
+  const watcher = watch(AGENT_WORK_STREAM, { persistent: true });
+
+  try {
+    for await (const event of watcher) {
+      if (event.eventType === "change") {
+        filePosition = await processLogFile(filePosition);
+      }
+    }
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      console.error(`[agent-work-analyzer] Watcher error: ${err.message}`);
+    }
+  }
+}
+
+/**
+ * Stop the analyzer
+ */
+export function stopAnalyzer() {
+  isRunning = false;
+  console.log("[agent-work-analyzer] Stopped");
+}
+
+/**
+ * Process log file from given position
+ * @param {number} startPosition - Byte offset to start reading from
+ * @returns {Promise<number>} New file position
+ */
+async function processLogFile(startPosition) {
+  try {
+    const stats = await stat(AGENT_WORK_STREAM);
+    if (stats.size <= startPosition) {
+      return startPosition; // No new data
+    }
+
+    const stream = createReadStream(AGENT_WORK_STREAM, {
+      start: startPosition,
+      encoding: "utf8",
+    });
+
+    const rl = createInterface({ input: stream });
+    let bytesRead = startPosition;
+
+    for await (const line of rl) {
+      bytesRead += Buffer.byteLength(line, "utf8") + 1; // +1 for newline
+
+      try {
+        const event = JSON.parse(line);
+        await analyzeEvent(event);
+      } catch (err) {
+        console.error(
+          `[agent-work-analyzer] Failed to parse log line: ${err.message}`,
+        );
+      }
+    }
+
+    return bytesRead;
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      console.error(`[agent-work-analyzer] Error reading log: ${err.message}`);
+    }
+    return startPosition;
+  }
+}
+
+// ── Event Analysis ──────────────────────────────────────────────────────────
+
+/**
+ * Analyze a single log event
+ * @param {Object} event - Parsed JSONL event
+ */
+async function analyzeEvent(event) {
+  const { attempt_id, event_type, timestamp, data } = event;
+
+  // Initialize session state if needed
+  if (!activeSessions.has(attempt_id)) {
+    activeSessions.set(attempt_id, {
+      attempt_id,
+      errors: [],
+      toolCalls: [],
+      lastActivity: timestamp,
+      startedAt: timestamp,
+      taskId: event.task_id,
+      executor: event.executor,
+    });
+  }
+
+  const session = activeSessions.get(attempt_id);
+  session.lastActivity = timestamp;
+
+  // Route to specific analyzers
+  switch (event_type) {
+    case "error":
+      await analyzeError(session, event);
+      break;
+    case "tool_call":
+      await analyzeToolCall(session, event);
+      break;
+    case "session_start":
+      await analyzeSessionStart(session, event);
+      break;
+    case "session_end":
+      await analyzeSessionEnd(session, event);
+      activeSessions.delete(attempt_id);
+      break;
+  }
+
+  // Continuous checks
+  await checkStuckAgent(session, event);
+}
+
+// ── Pattern Analyzers ───────────────────────────────────────────────────────
+
+/**
+ * Analyze error events for loops
+ */
+async function analyzeError(session, event) {
+  const { error_fingerprint, error_message } = event.data;
+
+  session.errors.push({
+    fingerprint: error_fingerprint || "unknown",
+    message: error_message,
+    timestamp: event.timestamp,
+  });
+
+  // Check for error loops
+  const cutoff = Date.now() - ERROR_LOOP_WINDOW_MS;
+  const recentErrors = session.errors.filter(
+    (e) => new Date(e.timestamp).getTime() >= cutoff,
+  );
+
+  const errorCounts = {};
+  for (const err of recentErrors) {
+    errorCounts[err.fingerprint] = (errorCounts[err.fingerprint] || 0) + 1;
+  }
+
+  // Alert if same error repeats N+ times
+  for (const [fingerprint, count] of Object.entries(errorCounts)) {
+    if (count >= ERROR_LOOP_THRESHOLD) {
+      await emitAlert({
+        type: "error_loop",
+        attempt_id: session.attempt_id,
+        task_id: session.taskId,
+        executor: session.executor,
+        error_fingerprint: fingerprint,
+        occurrences: count,
+        sample_message:
+          recentErrors.find((e) => e.fingerprint === fingerprint)?.message ||
+          "",
+        recommendation: "trigger_ai_autofix",
+        severity: "high",
+      });
+    }
+  }
+}
+
+/**
+ * Analyze tool call events for loops
+ */
+async function analyzeToolCall(session, event) {
+  const { tool_name } = event.data;
+
+  session.toolCalls.push({
+    tool: tool_name,
+    timestamp: event.timestamp,
+  });
+
+  // Check for tool loops
+  const cutoff = Date.now() - TOOL_LOOP_WINDOW_MS;
+  const recentCalls = session.toolCalls.filter(
+    (c) => new Date(c.timestamp).getTime() >= cutoff,
+  );
+
+  const toolCounts = {};
+  for (const call of recentCalls) {
+    toolCounts[call.tool] = (toolCounts[call.tool] || 0) + 1;
+  }
+
+  // Alert if same tool called N+ times rapidly
+  for (const [tool, count] of Object.entries(toolCounts)) {
+    if (count >= TOOL_LOOP_THRESHOLD) {
+      await emitAlert({
+        type: "tool_loop",
+        attempt_id: session.attempt_id,
+        task_id: session.taskId,
+        executor: session.executor,
+        tool_name: tool,
+        occurrences: count,
+        window_ms: TOOL_LOOP_WINDOW_MS,
+        recommendation: "fresh_session",
+        severity: "medium",
+      });
+    }
+  }
+}
+
+/**
+ * Analyze session start events
+ */
+async function analyzeSessionStart(session, event) {
+  const { prompt_type, followup_reason } = event.data;
+
+  // Track session restarts
+  if (prompt_type === "followup" || prompt_type === "retry") {
+    session.restartCount = (session.restartCount || 0) + 1;
+
+    // Alert if too many restarts
+    if (session.restartCount >= 3) {
+      await emitAlert({
+        type: "excessive_restarts",
+        attempt_id: session.attempt_id,
+        task_id: session.taskId,
+        executor: session.executor,
+        restart_count: session.restartCount,
+        last_reason: followup_reason,
+        recommendation: "manual_review",
+        severity: "medium",
+      });
+    }
+  }
+}
+
+/**
+ * Analyze session end events
+ */
+async function analyzeSessionEnd(session, event) {
+  const { completion_status, duration_ms, cost_usd } = event.data;
+
+  // Cost anomaly detection
+  if (cost_usd && cost_usd > COST_ANOMALY_THRESHOLD_USD) {
+    await emitAlert({
+      type: "cost_anomaly",
+      attempt_id: session.attempt_id,
+      task_id: session.taskId,
+      executor: session.executor,
+      cost_usd,
+      duration_ms,
+      threshold_usd: COST_ANOMALY_THRESHOLD_USD,
+      recommendation: "review_prompt_efficiency",
+      severity: "low",
+    });
+  }
+
+  // Failed session with many errors
+  if (
+    completion_status === "failed" &&
+    session.errors.length >= ERROR_LOOP_THRESHOLD
+  ) {
+    await emitAlert({
+      type: "failed_session_high_errors",
+      attempt_id: session.attempt_id,
+      task_id: session.taskId,
+      executor: session.executor,
+      error_count: session.errors.length,
+      error_fingerprints: [
+        ...new Set(session.errors.map((e) => e.fingerprint)),
+      ],
+      recommendation: "analyze_root_cause",
+      severity: "high",
+    });
+  }
+}
+
+/**
+ * Check if agent appears stuck (no activity for X minutes)
+ */
+async function checkStuckAgent(session, event) {
+  const lastActivityTime = new Date(session.lastActivity).getTime();
+  const timeSinceActivity = Date.now() - lastActivityTime;
+
+  if (timeSinceActivity > STUCK_DETECTION_THRESHOLD_MS) {
+    await emitAlert({
+      type: "stuck_agent",
+      attempt_id: session.attempt_id,
+      task_id: session.taskId,
+      executor: session.executor,
+      idle_time_ms: timeSinceActivity,
+      threshold_ms: STUCK_DETECTION_THRESHOLD_MS,
+      recommendation: "check_agent_health",
+      severity: "medium",
+    });
+  }
+}
+
+// ── Alert System ────────────────────────────────────────────────────────────
+
+/**
+ * Emit an alert to the alerts log
+ * @param {Object} alert - Alert data
+ */
+async function emitAlert(alert) {
+  const alertKey = `${alert.type}:${alert.attempt_id}`;
+
+  // Check cooldown
+  const lastAlert = alertCooldowns.get(alertKey);
+  if (lastAlert && Date.now() - lastAlert < ALERT_COOLDOWN_MS) {
+    return; // Skip duplicate alerts
+  }
+
+  alertCooldowns.set(alertKey, Date.now());
+
+  const alertEntry = {
+    timestamp: new Date().toISOString(),
+    ...alert,
+  };
+
+  console.error(`[ALERT] ${alert.type}: ${alert.attempt_id}`);
+
+  // Append to alerts log
+  try {
+    await appendFile(ALERTS_LOG, JSON.stringify(alertEntry) + "\n");
+  } catch (err) {
+    console.error(`[agent-work-analyzer] Failed to write alert: ${err.message}`);
+  }
+}
+
+// ── Cleanup Old Sessions ────────────────────────────────────────────────────
+
+setInterval(() => {
+  const cutoff = Date.now() - 60 * 60 * 1000; // 1 hour
+
+  for (const [attemptId, session] of activeSessions.entries()) {
+    const lastActivityTime = new Date(session.lastActivity).getTime();
+    if (lastActivityTime < cutoff) {
+      activeSessions.delete(attemptId);
+    }
+  }
+}, 10 * 60 * 1000); // Cleanup every 10 minutes
+
+// ── Exports ─────────────────────────────────────────────────────────────────
+

package/claude-shell.mjs

@@ -430,12 +430,22 @@ async function saveState() {
   }
 }
 
+function extractTaskHeading(msg) {
+  // Prompt first line is "# TASKID — Task Title" (from _buildTaskPrompt).
+  // Return just the task title portion, or a short fallback.
+  const firstLine = msg.split(/\r?\n/)[0].replace(/^#+\s*/, '').trim();
+  const dashIdx = firstLine.indexOf(' \u2014 ');
+  const heading = dashIdx !== -1 ? firstLine.slice(dashIdx + 3).trim() : firstLine;
+  return heading || 'Execute Task';
+}
+
 function buildPrompt(userMessage, statusData) {
+  const title = extractTaskHeading(userMessage);
   if (!statusData) {
-    return `# YOUR TASK — EXECUTE NOW\n\n${userMessage}\n\n---\nDo NOT respond with \"Ready\" or ask what to do. EXECUTE this task. Read files, run commands, produce detailed output.`;
+    return `# ${title}\n\n${userMessage}\n\n---\nDo NOT respond with "Ready" or ask what to do. EXECUTE this task. Read files, run commands, produce detailed output.`;
   }
   const statusSnippet = JSON.stringify(statusData, null, 2).slice(0, 2000);
-  return `[Orchestrator Status]\n\`\`\`json\n${statusSnippet}\n\`\`\`\n\n# YOUR TASK — EXECUTE NOW\n\n${userMessage}\n\n---\nDo NOT respond with \"Ready\" or ask what to do. EXECUTE this task. Read files, run commands, produce detailed output.`;
+  return `[Orchestrator Status]\n\`\`\`json\n${statusSnippet}\n\`\`\`\n\n# ${title}\n\n${userMessage}\n\n---\nDo NOT respond with "Ready" or ask what to do. EXECUTE this task. Read files, run commands, produce detailed output.`;
 }
 
 // ── Main Execution ─────────────────────────────────────────────────────────

package/desktop/main.mjs

@@ -3,6 +3,8 @@ import { dirname, join, resolve } from "node:path";
 import { fileURLToPath, pathToFileURL } from "node:url";
 import { existsSync, readFileSync } from "node:fs";
 import { execFileSync, spawn } from "node:child_process";
+import { request as httpRequest } from "node:http";
+import { request as httpsRequest } from "node:https";
 import { homedir } from "node:os";
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
@@ -12,6 +14,7 @@ let shuttingDown = false;
 let uiServerStarted = false;
 let uiOrigin = null;
 let uiApi = null;
+let runtimeConfigLoaded = false;
 
 const DAEMON_PID_FILE = resolve(homedir(), ".cache", "bosun", "daemon.pid");
 
@@ -86,12 +89,77 @@ async function loadBosunModule(file) {
   return import(pathToFileURL(modulePath).href);
 }
 
+async function loadRuntimeConfig() {
+  if (runtimeConfigLoaded) return;
+  try {
+    const config = await loadBosunModule("config.mjs");
+    if (typeof config?.loadConfig === "function") {
+      config.loadConfig(["node", "desktop"], { reloadEnv: true });
+    }
+  } catch (err) {
+    console.warn("[desktop] failed to load config env", err?.message || err);
+  }
+  runtimeConfigLoaded = true;
+}
+
 async function loadUiServerModule() {
   if (uiApi) return uiApi;
   uiApi = await loadBosunModule("ui-server.mjs");
   return uiApi;
 }
 
+function buildDaemonUiBaseUrl() {
+  const rawPort = Number(process.env.TELEGRAM_UI_PORT || "0");
+  if (!Number.isFinite(rawPort) || rawPort <= 0) return null;
+  const tlsDisabled = parseBoolEnv(process.env.TELEGRAM_UI_TLS_DISABLE, false);
+  const protocol = tlsDisabled ? "http" : "https";
+  const host =
+    process.env.TELEGRAM_UI_DESKTOP_HOST ||
+    process.env.TELEGRAM_UI_HOST ||
+    "127.0.0.1";
+  return `${protocol}://${host}:${rawPort}`;
+}
+
+async function probeUiServer(url) {
+  return new Promise((resolve) => {
+    try {
+      const isHttps = url.startsWith("https://");
+      const req = (isHttps ? httpsRequest : httpRequest)(
+        `${url}/api/status`,
+        {
+          method: "GET",
+          timeout: 1500,
+          rejectUnauthorized: false,
+        },
+        (res) => {
+          res.resume();
+          resolve(Boolean(res.statusCode && res.statusCode < 500));
+        },
+      );
+      req.on("error", () => resolve(false));
+      req.on("timeout", () => {
+        req.destroy();
+        resolve(false);
+      });
+      req.end();
+    } catch {
+      resolve(false);
+    }
+  });
+}
+
+async function resolveDaemonUiUrl() {
+  const useDaemon = parseBoolEnv(
+    process.env.BOSUN_DESKTOP_USE_DAEMON_UI,
+    true,
+  );
+  if (!useDaemon) return null;
+  const base = buildDaemonUiBaseUrl();
+  if (!base) return null;
+  const ok = await probeUiServer(base);
+  return ok ? base : null;
+}
+
 async function ensureDaemonRunning() {
   const autoStart = parseBoolEnv(
     process.env.BOSUN_DESKTOP_AUTO_START_DAEMON,
@@ -148,6 +216,13 @@ async function startUiServer() {
 }
 
 async function buildUiUrl() {
+  await loadRuntimeConfig();
+  const daemonUrl = await resolveDaemonUiUrl();
+  if (daemonUrl) {
+    uiOrigin = new URL(daemonUrl).origin;
+    return daemonUrl;
+  }
+  await startUiServer();
   const api = await loadUiServerModule();
   const uiServerUrl = api.getTelegramUiUrl();
   if (!uiServerUrl) {
@@ -196,8 +271,8 @@ async function bootstrap() {
   try {
     app.setAppUserModelId("com.virtengine.bosun");
     process.chdir(resolveBosunRoot());
+    await loadRuntimeConfig();
     await ensureDaemonRunning();
-    await startUiServer();
     await createMainWindow();
     await maybeAutoUpdate();
   } catch (error) {
@@ -231,8 +306,10 @@ async function shutdown(reason) {
   }
 
   try {
-    const api = await loadUiServerModule();
-    api.stopTelegramUiServer();
+    if (uiServerStarted) {
+      const api = await loadUiServerModule();
+      api.stopTelegramUiServer();
+    }
   } catch (error) {
     console.error("[desktop] failed to stop ui-server", error);
   }
@@ -243,7 +320,7 @@ async function shutdown(reason) {
 app.on("before-quit", () => {
   shuttingDown = true;
   try {
-    if (uiApi?.stopTelegramUiServer) {
+    if (uiServerStarted && uiApi?.stopTelegramUiServer) {
       uiApi.stopTelegramUiServer();
     }
   } catch (error) {