bosun 0.28.0 → 0.28.2

package/.env.example

@@ -77,7 +77,21 @@ TELEGRAM_MINIAPP_ENABLED=false
 # Full public URL override (takes precedence over host/port auto-detection).
 # Use when you have a reverse proxy or tunnel with HTTPS.
 # TELEGRAM_UI_BASE_URL=https://your-public-ui.example.com
-# Skip Telegram initData authentication (for local browser testing only).
+# ╔══════════════════════════════════════════════════════════════════════╗
+# ║ ⛔ DANGER — SECURITY CRITICAL                                       ║
+# ║                                                                      ║
+# ║ Setting ALLOW_UNSAFE=true disables ALL authentication on the UI.     ║
+# ║ Anyone who discovers your URL can:                                   ║
+# ║  • Read/modify your tasks and settings                               ║
+# ║  • Send commands to agents that execute code on YOUR machine         ║
+# ║  • Access secrets, API keys, and environment variables               ║
+# ║                                                                      ║
+# ║ Combined with TELEGRAM_UI_TUNNEL=auto (Cloudflare tunnel), your UI   ║
+# ║ gets a PUBLIC internet URL — meaning ANYONE ON THE INTERNET can      ║
+# ║ find and control your machine.                                       ║
+# ║                                                                      ║
+# ║ ONLY enable this for localhost-only debugging with tunnel DISABLED.  ║
+# ╚══════════════════════════════════════════════════════════════════════╝
 # TELEGRAM_UI_ALLOW_UNSAFE=false
 # Max age in seconds for initData auth tokens (default: 86400 = 24h)
 # TELEGRAM_UI_AUTH_MAX_AGE_SEC=86400
@@ -155,6 +169,13 @@ TELEGRAM_MINIAPP_ENABLED=false
 # Priority threshold for immediate delivery: 1=critical only, 2=critical+errors (default: 1)
 # TELEGRAM_IMMEDIATE_PRIORITY=1
 
+# ─── Auto-Delete Old Messages ──────────────────────────────────────────────────────────
+# Automatically delete bot messages older than N days to keep chat tidy.
+# Set to 0 to disable. Default: 3 days.
+# Note: Telegram’s API may silently skip messages older than 48 h in private
+# chats — those will just remain; no error is raised.
+# TELEGRAM_HISTORY_RETENTION_DAYS=3
+
 # ─── Presence & Multi-Instance Coordination ──────────────────────────────────
 # Presence heartbeat allows discovering multiple bosun instances.
 # Heartbeat interval in seconds (default: 60)

package/README.md

@@ -1,12 +1,23 @@
-# ![virtengine bosun ai agent](site/logo.png) bosun
+<p align="center">
+  <img src="site/logo.png" alt="virtengine bosun ai agent" width="150" />
+</p>
+<h1 align="center">bosun</h1>
 
 Bosun is a production-grade supervisor for AI coding agents. It routes tasks across executors, automates PR lifecycles, and keeps operators in control through Telegram, the Mini App dashboard, and optional WhatsApp notifications.
 
-[Website](https://bosun.virtengine.com) · [Docs](https://bosun.virtengine.com/docs/) · [GitHub](https://github.com/virtengine/bosun?tab=readme-ov-file#bosun) · [npm](https://www.npmjs.com/package/bosun) · [Issues](https://github.com/virtengine/bosun/issues)
+<p align="center">
+  <a href="https://bosun.virtengine.com">Website</a> · <a href="https://bosun.virtengine.com/docs/">Docs</a> · <a href="https://github.com/virtengine/bosun?tab=readme-ov-file#bosun">GitHub</a> · <a href="https://www.npmjs.com/package/bosun">npm</a> · <a href="https://github.com/virtengine/bosun/issues">Issues</a>
+</p>
 
-[![CI](https://github.com/virtengine/bosun/actions/workflows/ci.yaml/badge.svg?branch=main)](https://github.com/virtengine/bosun/actions/workflows/ci.yaml)
-[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE)
-[![npm](https://img.shields.io/npm/v/bosun.svg)](https://www.npmjs.com/package/bosun)
+<p align="center">
+  <img src="site/social-banner.png" alt="bosun — AI agent supervisor" width="100%" />
+</p>
+
+<p align="center">
+  <a href="https://github.com/virtengine/bosun/actions/workflows/ci.yaml"><img src="https://github.com/virtengine/bosun/actions/workflows/ci.yaml/badge.svg?branch=main" alt="CI" /></a>
+  <a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache%202.0-blue.svg" alt="License" /></a>
+  <a href="https://www.npmjs.com/package/bosun"><img src="https://img.shields.io/npm/v/bosun.svg" alt="npm" /></a>
+</p>
 
 ---
 

package/agent-pool.mjs

@@ -71,6 +71,20 @@ function envFlagEnabled(value) {
   return ["1", "true", "yes", "on", "y"].includes(raw);
 }
 
+/**
+ * Extract a human-readable task heading from the prompt built by _buildTaskPrompt.
+ * The first line is "# TASKID — Task Title"; we return the title portion only.
+ * Falls back to the raw first line if no em-dash separator is found.
+ * @param {string} prompt
+ * @returns {string}
+ */
+function extractTaskHeading(prompt) {
+  const firstLine = String(prompt || "").split(/\r?\n/)[0].replace(/^#+\s*/, "").trim();
+  const dashIdx = firstLine.indexOf(" \u2014 ");
+  const title = dashIdx !== -1 ? firstLine.slice(dashIdx + 3).trim() : firstLine;
+  return title || "Execute Task";
+}
+
 function shouldAutoApproveCopilotPermissions() {
   const raw = process.env.COPILOT_AUTO_APPROVE_PERMISSIONS;
   if (raw === undefined || raw === null || String(raw).trim() === "") {
@@ -870,7 +884,7 @@ async function launchCopilotThread(prompt, cwd, timeoutMs, extra = {}) {
     }
 
     const formattedPrompt =
-      `# YOUR TASK — EXECUTE NOW\n\n${prompt}\n\n---\n` +
+      `# ${extractTaskHeading(prompt)}\n\n${prompt}\n\n---\n` +
       'Do NOT respond with "Ready" or ask what to do. EXECUTE this task.';
 
     const hasSend = typeof session.send === "function";
@@ -1184,7 +1198,7 @@ async function launchClaudeThread(prompt, cwd, timeoutMs, extra = {}) {
     const msgQueue = createMessageQueue();
 
     const formattedPrompt =
-      `# YOUR TASK — EXECUTE NOW\n\n${prompt}\n\n---\n` +
+      `# ${extractTaskHeading(prompt)}\n\n${prompt}\n\n---\n` +
       'Do NOT respond with "Ready" or ask what to do. EXECUTE this task.';
 
     msgQueue.push(makeUserMessage(formattedPrompt));

package/agent-work-analyzer.mjs

@@ -0,0 +1,419 @@
+/**
+ * Agent Work Stream Analyzer
+ *
+ * Tails agent-work-stream.jsonl in real-time, detects patterns, and emits alerts
+ * for bosun to consume.
+ *
+ * Features:
+ * - Error loop detection (same error N+ times)
+ * - Tool loop detection (same tool called rapidly)
+ * - Stuck agent detection (no progress for X minutes)
+ * - Context window exhaustion prediction
+ * - Cost anomaly detection (unusually expensive sessions)
+ */
+
+import { readFile, writeFile, appendFile, stat, watch } from "fs/promises";
+import { createReadStream, existsSync } from "fs";
+import { createInterface } from "readline";
+import { resolve, dirname } from "path";
+import { fileURLToPath } from "url";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const repoRoot = resolve(__dirname, "../..");
+
+// ── Configuration ───────────────────────────────────────────────────────────
+const AGENT_WORK_STREAM = resolve(
+  repoRoot,
+  ".cache/agent-work-logs/agent-work-stream.jsonl",
+);
+const ALERTS_LOG = resolve(
+  repoRoot,
+  ".cache/agent-work-logs/agent-alerts.jsonl",
+);
+
+const ERROR_LOOP_THRESHOLD = Number(
+  process.env.AGENT_ERROR_LOOP_THRESHOLD || "4",
+);
+const ERROR_LOOP_WINDOW_MS = 10 * 60 * 1000; // 10 minutes
+
+const TOOL_LOOP_THRESHOLD = Number(
+  process.env.AGENT_TOOL_LOOP_THRESHOLD || "10",
+);
+const TOOL_LOOP_WINDOW_MS = 60 * 1000; // 1 minute
+
+const STUCK_DETECTION_THRESHOLD_MS = Number(
+  process.env.AGENT_STUCK_THRESHOLD_MS || String(5 * 60 * 1000),
+); // 5 minutes
+
+const COST_ANOMALY_THRESHOLD_USD = Number(
+  process.env.AGENT_COST_ANOMALY_THRESHOLD || "1.0",
+);
+
+// ── State Tracking ──────────────────────────────────────────────────────────
+
+// Active session state: sessionId -> { ... }
+const activeSessions = new Map();
+
+// Alert cooldowns: "alert_type:attempt_id" -> timestamp
+const alertCooldowns = new Map();
+const ALERT_COOLDOWN_MS = 5 * 60 * 1000; // 5 minutes between same alert
+
+// ── Log Tailing ─────────────────────────────────────────────────────────────
+
+let filePosition = 0;
+let isRunning = false;
+
+/**
+ * Start the analyzer loop
+ */
+export async function startAnalyzer() {
+  if (isRunning) return;
+  isRunning = true;
+
+  console.log("[agent-work-analyzer] Starting...");
+
+  // Ensure alerts log exists
+  if (!existsSync(ALERTS_LOG)) {
+    await writeFile(ALERTS_LOG, "");
+  }
+
+  // Initial read of existing log
+  if (existsSync(AGENT_WORK_STREAM)) {
+    filePosition = await processLogFile(filePosition);
+  }
+
+  // Watch for changes
+  console.log(`[agent-work-analyzer] Watching: ${AGENT_WORK_STREAM}`);
+
+  const watcher = watch(AGENT_WORK_STREAM, { persistent: true });
+
+  try {
+    for await (const event of watcher) {
+      if (event.eventType === "change") {
+        filePosition = await processLogFile(filePosition);
+      }
+    }
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      console.error(`[agent-work-analyzer] Watcher error: ${err.message}`);
+    }
+  }
+}
+
+/**
+ * Stop the analyzer
+ */
+export function stopAnalyzer() {
+  isRunning = false;
+  console.log("[agent-work-analyzer] Stopped");
+}
+
+/**
+ * Process log file from given position
+ * @param {number} startPosition - Byte offset to start reading from
+ * @returns {Promise<number>} New file position
+ */
+async function processLogFile(startPosition) {
+  try {
+    const stats = await stat(AGENT_WORK_STREAM);
+    if (stats.size <= startPosition) {
+      return startPosition; // No new data
+    }
+
+    const stream = createReadStream(AGENT_WORK_STREAM, {
+      start: startPosition,
+      encoding: "utf8",
+    });
+
+    const rl = createInterface({ input: stream });
+    let bytesRead = startPosition;
+
+    for await (const line of rl) {
+      bytesRead += Buffer.byteLength(line, "utf8") + 1; // +1 for newline
+
+      try {
+        const event = JSON.parse(line);
+        await analyzeEvent(event);
+      } catch (err) {
+        console.error(
+          `[agent-work-analyzer] Failed to parse log line: ${err.message}`,
+        );
+      }
+    }
+
+    return bytesRead;
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      console.error(`[agent-work-analyzer] Error reading log: ${err.message}`);
+    }
+    return startPosition;
+  }
+}
+
+// ── Event Analysis ──────────────────────────────────────────────────────────
+
+/**
+ * Analyze a single log event
+ * @param {Object} event - Parsed JSONL event
+ */
+async function analyzeEvent(event) {
+  const { attempt_id, event_type, timestamp, data } = event;
+
+  // Initialize session state if needed
+  if (!activeSessions.has(attempt_id)) {
+    activeSessions.set(attempt_id, {
+      attempt_id,
+      errors: [],
+      toolCalls: [],
+      lastActivity: timestamp,
+      startedAt: timestamp,
+      taskId: event.task_id,
+      executor: event.executor,
+    });
+  }
+
+  const session = activeSessions.get(attempt_id);
+  session.lastActivity = timestamp;
+
+  // Route to specific analyzers
+  switch (event_type) {
+    case "error":
+      await analyzeError(session, event);
+      break;
+    case "tool_call":
+      await analyzeToolCall(session, event);
+      break;
+    case "session_start":
+      await analyzeSessionStart(session, event);
+      break;
+    case "session_end":
+      await analyzeSessionEnd(session, event);
+      activeSessions.delete(attempt_id);
+      break;
+  }
+
+  // Continuous checks
+  await checkStuckAgent(session, event);
+}
+
+// ── Pattern Analyzers ───────────────────────────────────────────────────────
+
+/**
+ * Analyze error events for loops
+ */
+async function analyzeError(session, event) {
+  const { error_fingerprint, error_message } = event.data;
+
+  session.errors.push({
+    fingerprint: error_fingerprint || "unknown",
+    message: error_message,
+    timestamp: event.timestamp,
+  });
+
+  // Check for error loops
+  const cutoff = Date.now() - ERROR_LOOP_WINDOW_MS;
+  const recentErrors = session.errors.filter(
+    (e) => new Date(e.timestamp).getTime() >= cutoff,
+  );
+
+  const errorCounts = {};
+  for (const err of recentErrors) {
+    errorCounts[err.fingerprint] = (errorCounts[err.fingerprint] || 0) + 1;
+  }
+
+  // Alert if same error repeats N+ times
+  for (const [fingerprint, count] of Object.entries(errorCounts)) {
+    if (count >= ERROR_LOOP_THRESHOLD) {
+      await emitAlert({
+        type: "error_loop",
+        attempt_id: session.attempt_id,
+        task_id: session.taskId,
+        executor: session.executor,
+        error_fingerprint: fingerprint,
+        occurrences: count,
+        sample_message:
+          recentErrors.find((e) => e.fingerprint === fingerprint)?.message ||
+          "",
+        recommendation: "trigger_ai_autofix",
+        severity: "high",
+      });
+    }
+  }
+}
+
+/**
+ * Analyze tool call events for loops
+ */
+async function analyzeToolCall(session, event) {
+  const { tool_name } = event.data;
+
+  session.toolCalls.push({
+    tool: tool_name,
+    timestamp: event.timestamp,
+  });
+
+  // Check for tool loops
+  const cutoff = Date.now() - TOOL_LOOP_WINDOW_MS;
+  const recentCalls = session.toolCalls.filter(
+    (c) => new Date(c.timestamp).getTime() >= cutoff,
+  );
+
+  const toolCounts = {};
+  for (const call of recentCalls) {
+    toolCounts[call.tool] = (toolCounts[call.tool] || 0) + 1;
+  }
+
+  // Alert if same tool called N+ times rapidly
+  for (const [tool, count] of Object.entries(toolCounts)) {
+    if (count >= TOOL_LOOP_THRESHOLD) {
+      await emitAlert({
+        type: "tool_loop",
+        attempt_id: session.attempt_id,
+        task_id: session.taskId,
+        executor: session.executor,
+        tool_name: tool,
+        occurrences: count,
+        window_ms: TOOL_LOOP_WINDOW_MS,
+        recommendation: "fresh_session",
+        severity: "medium",
+      });
+    }
+  }
+}
+
+/**
+ * Analyze session start events
+ */
+async function analyzeSessionStart(session, event) {
+  const { prompt_type, followup_reason } = event.data;
+
+  // Track session restarts
+  if (prompt_type === "followup" || prompt_type === "retry") {
+    session.restartCount = (session.restartCount || 0) + 1;
+
+    // Alert if too many restarts
+    if (session.restartCount >= 3) {
+      await emitAlert({
+        type: "excessive_restarts",
+        attempt_id: session.attempt_id,
+        task_id: session.taskId,
+        executor: session.executor,
+        restart_count: session.restartCount,
+        last_reason: followup_reason,
+        recommendation: "manual_review",
+        severity: "medium",
+      });
+    }
+  }
+}
+
+/**
+ * Analyze session end events
+ */
+async function analyzeSessionEnd(session, event) {
+  const { completion_status, duration_ms, cost_usd } = event.data;
+
+  // Cost anomaly detection
+  if (cost_usd && cost_usd > COST_ANOMALY_THRESHOLD_USD) {
+    await emitAlert({
+      type: "cost_anomaly",
+      attempt_id: session.attempt_id,
+      task_id: session.taskId,
+      executor: session.executor,
+      cost_usd,
+      duration_ms,
+      threshold_usd: COST_ANOMALY_THRESHOLD_USD,
+      recommendation: "review_prompt_efficiency",
+      severity: "low",
+    });
+  }
+
+  // Failed session with many errors
+  if (
+    completion_status === "failed" &&
+    session.errors.length >= ERROR_LOOP_THRESHOLD
+  ) {
+    await emitAlert({
+      type: "failed_session_high_errors",
+      attempt_id: session.attempt_id,
+      task_id: session.taskId,
+      executor: session.executor,
+      error_count: session.errors.length,
+      error_fingerprints: [
+        ...new Set(session.errors.map((e) => e.fingerprint)),
+      ],
+      recommendation: "analyze_root_cause",
+      severity: "high",
+    });
+  }
+}
+
+/**
+ * Check if agent appears stuck (no activity for X minutes)
+ */
+async function checkStuckAgent(session, event) {
+  const lastActivityTime = new Date(session.lastActivity).getTime();
+  const timeSinceActivity = Date.now() - lastActivityTime;
+
+  if (timeSinceActivity > STUCK_DETECTION_THRESHOLD_MS) {
+    await emitAlert({
+      type: "stuck_agent",
+      attempt_id: session.attempt_id,
+      task_id: session.taskId,
+      executor: session.executor,
+      idle_time_ms: timeSinceActivity,
+      threshold_ms: STUCK_DETECTION_THRESHOLD_MS,
+      recommendation: "check_agent_health",
+      severity: "medium",
+    });
+  }
+}
+
+// ── Alert System ────────────────────────────────────────────────────────────
+
+/**
+ * Emit an alert to the alerts log
+ * @param {Object} alert - Alert data
+ */
+async function emitAlert(alert) {
+  const alertKey = `${alert.type}:${alert.attempt_id}`;
+
+  // Check cooldown
+  const lastAlert = alertCooldowns.get(alertKey);
+  if (lastAlert && Date.now() - lastAlert < ALERT_COOLDOWN_MS) {
+    return; // Skip duplicate alerts
+  }
+
+  alertCooldowns.set(alertKey, Date.now());
+
+  const alertEntry = {
+    timestamp: new Date().toISOString(),
+    ...alert,
+  };
+
+  console.error(`[ALERT] ${alert.type}: ${alert.attempt_id}`);
+
+  // Append to alerts log
+  try {
+    await appendFile(ALERTS_LOG, JSON.stringify(alertEntry) + "\n");
+  } catch (err) {
+    console.error(`[agent-work-analyzer] Failed to write alert: ${err.message}`);
+  }
+}
+
+// ── Cleanup Old Sessions ────────────────────────────────────────────────────
+
+setInterval(() => {
+  const cutoff = Date.now() - 60 * 60 * 1000; // 1 hour
+
+  for (const [attemptId, session] of activeSessions.entries()) {
+    const lastActivityTime = new Date(session.lastActivity).getTime();
+    if (lastActivityTime < cutoff) {
+      activeSessions.delete(attemptId);
+    }
+  }
+}, 10 * 60 * 1000); // Cleanup every 10 minutes
+
+// ── Exports ─────────────────────────────────────────────────────────────────
+

package/claude-shell.mjs

@@ -430,12 +430,22 @@ async function saveState() {
   }
 }
 
+function extractTaskHeading(msg) {
+  // Prompt first line is "# TASKID — Task Title" (from _buildTaskPrompt).
+  // Return just the task title portion, or a short fallback.
+  const firstLine = msg.split(/\r?\n/)[0].replace(/^#+\s*/, '').trim();
+  const dashIdx = firstLine.indexOf(' \u2014 ');
+  const heading = dashIdx !== -1 ? firstLine.slice(dashIdx + 3).trim() : firstLine;
+  return heading || 'Execute Task';
+}
+
 function buildPrompt(userMessage, statusData) {
+  const title = extractTaskHeading(userMessage);
   if (!statusData) {
-    return `# YOUR TASK — EXECUTE NOW\n\n${userMessage}\n\n---\nDo NOT respond with \"Ready\" or ask what to do. EXECUTE this task. Read files, run commands, produce detailed output.`;
+    return `# ${title}\n\n${userMessage}\n\n---\nDo NOT respond with "Ready" or ask what to do. EXECUTE this task. Read files, run commands, produce detailed output.`;
   }
   const statusSnippet = JSON.stringify(statusData, null, 2).slice(0, 2000);
-  return `[Orchestrator Status]\n\`\`\`json\n${statusSnippet}\n\`\`\`\n\n# YOUR TASK — EXECUTE NOW\n\n${userMessage}\n\n---\nDo NOT respond with \"Ready\" or ask what to do. EXECUTE this task. Read files, run commands, produce detailed output.`;
+  return `[Orchestrator Status]\n\`\`\`json\n${statusSnippet}\n\`\`\`\n\n# ${title}\n\n${userMessage}\n\n---\nDo NOT respond with "Ready" or ask what to do. EXECUTE this task. Read files, run commands, produce detailed output.`;
 }
 
 // ── Main Execution ─────────────────────────────────────────────────────────

package/desktop/launch.mjs

@@ -1,4 +1,4 @@
-import { existsSync } from "node:fs";
+import { existsSync, statSync } from "node:fs";
 import { dirname, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 import { spawnSync, spawn } from "node:child_process";
@@ -7,6 +7,28 @@ const __dirname = dirname(fileURLToPath(import.meta.url));
 const desktopDir = resolve(__dirname);
 const binName = process.platform === "win32" ? "electron.cmd" : "electron";
 const electronBin = resolve(desktopDir, "node_modules", ".bin", binName);
+const chromeSandbox = resolve(
+  desktopDir,
+  "node_modules",
+  "electron",
+  "dist",
+  "chrome-sandbox",
+);
+
+function shouldDisableSandbox() {
+  if (process.env.BOSUN_DESKTOP_DISABLE_SANDBOX === "1") return true;
+  if (process.platform !== "linux") return false;
+  if (!existsSync(chromeSandbox)) return true;
+  try {
+    const stats = statSync(chromeSandbox);
+    const mode = stats.mode & 0o7777;
+    const isRootOwned = stats.uid === 0;
+    const isSetuid = mode === 0o4755;
+    return !(isRootOwned && isSetuid);
+  } catch {
+    return true;
+  }
+}
 
 function ensureElectronInstalled() {
   if (existsSync(electronBin)) return true;
@@ -28,11 +50,18 @@ function launch() {
     process.exit(1);
   }
 
-  const child = spawn(electronBin, [desktopDir], {
+  const disableSandbox = shouldDisableSandbox();
+  const args = [desktopDir];
+  if (disableSandbox) {
+    args.push("--no-sandbox", "--disable-gpu-sandbox");
+  }
+
+  const child = spawn(electronBin, args, {
     stdio: "inherit",
     env: {
       ...process.env,
       BOSUN_DESKTOP: "1",
+      ...(disableSandbox ? { ELECTRON_DISABLE_SANDBOX: "1" } : {}),
     },
   });