copilot-reverse 0.5.0 → 0.5.1

package/dist/cli/index.js

@@ -10,7 +10,7 @@ import { probeSupervisor } from "../daemon/lifecycle.js";
 import { startSupervisor } from "../supervisor/index.js";
 import { runAssistantTurn } from "../tui/assistant/runtime.js";
 import { makeOnChat } from "../tui/assistant/on-chat.js";
-import { readGhToken, clearGhToken } from "../shared/creds.js";
+import { readGhToken, clearGhToken, hasGhTokenFile } from "../shared/creds.js";
 import { writeWebIqKey, readWebIqKey, clearWebIqKey, readWebSearchMode, writeWebSearchMode, resolveWebSearchBackend } from "../shared/webiq-key.js";
 import { readClientSetup, writeClientSetup } from "../shared/client-setup.js";
 import { readChatModel, writeChatModel } from "../shared/prefs.js";
@@ -24,13 +24,42 @@ import { claudeCopilotReverseEnv } from "../tui/setup/clients.js";
 import { dataDir } from "../shared/paths.js";
 import { defaultConfig } from "../shared/config.js";
 import { APP_VERSION } from "../version.js";
+import { appendCrashLog } from "../shared/crash-log.js";
 const delay = (ms) => new Promise((r) => setTimeout(r, ms));
 const DEFAULT_MODEL = "gpt-4o"; // a valid Copilot model id; pass-through routing uses it as-is
 // Conservative context budget that drives the assistant's auto-compaction. Sized below the
 // common Copilot prompt window (gpt-4o ≈ 128K) so the engine compacts before the upstream
 // rejects an over-long turn. TODO: read each model's real max_prompt_tokens from /models.
 const DEFAULT_MAX_INPUT_TOKENS = 110_000;
+// Process-level backstop. The TUI and the supervisor run in ONE process, so a stray throw or an
+// unhandled rejection anywhere (a dead SSE socket, a bad creds read, an SDK stream) would otherwise
+// terminate the whole app and drop the user back to the shell — especially on Node ≥15, where an
+// unhandled rejection is fatal by default. We log to a file (Ink owns stdout, so console writes would
+// corrupt the render) and keep running; the specific throw sites are also guarded at their source.
+//
+// uncaughtException is treated differently from unhandledRejection: Node documents the process as
+// being in an undefined state afterward, so swallowing it indefinitely risks spinning forever on a
+// recurring throw against corrupted state. A circuit breaker counts exceptions in a short window and
+// lets the process die once they storm, so a user/supervisor restart gets a clean process — while a
+// lone transient exception is still survived.
+const UNCAUGHT_STORM_COUNT = 5;
+const UNCAUGHT_STORM_WINDOW_MS = 10_000;
+function installProcessBackstop() {
+    process.on("unhandledRejection", (reason) => appendCrashLog("unhandledRejection", reason));
+    let recent = [];
+    process.on("uncaughtException", (err) => {
+        appendCrashLog("uncaughtException", err);
+        const now = Date.now();
+        recent = recent.filter((t) => now - t < UNCAUGHT_STORM_WINDOW_MS);
+        recent.push(now);
+        if (recent.length >= UNCAUGHT_STORM_COUNT) {
+            appendCrashLog("uncaughtException", `${UNCAUGHT_STORM_COUNT} exceptions within ${UNCAUGHT_STORM_WINDOW_MS}ms — exiting for a clean restart`);
+            process.exit(1);
+        }
+    });
+}
 async function launchTui() {
+    installProcessBackstop();
     const cfg = defaultConfig();
     const existingToken = readGhToken(dataDir());
     if (!existingToken) {
@@ -90,15 +119,19 @@ async function launchTui() {
         const { code, complete } = await beginDeviceLogin(dataDir());
         show([`Open ${code.verification_uri} and enter code: ${code.user_code}`, "waiting for authorization…"]);
         await complete();
-        // Re-point the token store at the freshly written GitHub token; the old store still holds the
-        // expired one and would 401 once its cached Copilot token rotates, breaking the model picker.
-        tokenStore = new CopilotTokenStore(readGhToken(dataDir()));
+        // Drop the cached Copilot token so the next get() does a fresh exchange with the just-written
+        // GitHub token (the store re-reads the token on each exchange, so a new instance isn't required —
+        // but resetting clears any Copilot token cached against the old login).
+        tokenStore = new CopilotTokenStore(() => readGhToken(dataDir()));
         await client.restart().catch(() => { });
         return ["GitHub authorization complete — worker restarting with the new token"];
     };
     // Filled in below once we have a token; the assistant prefers a model's real window over the default.
     const modelLimits = {};
-    let tokenStore = new CopilotTokenStore(readGhToken(dataDir()));
+    // Provider form: the store re-reads the GitHub token on each exchange, so a transient unreadable
+    // creds.json (Windows lock / partial write) can't poison the store for the session — it recovers on
+    // the next clean read, and a genuinely absent token surfaces as a 401 instead of a `token null` send.
+    let tokenStore = new CopilotTokenStore(() => readGhToken(dataDir()));
     const loadModels = async () => {
         const token = await tokenStore.get();
         const [ids, limits] = await Promise.all([fetchCopilotModels(token), fetchModelLimits(token)]);
@@ -137,7 +170,7 @@ async function launchTui() {
     // hangs until the turn timeout. Reuses the long-lived tokenStore so a valid login is a cached,
     // round-trip-free check between message bursts (its get() caches with a 60s skew).
     async () => {
-        if (!readGhToken(dataDir()))
+        if (!hasGhTokenFile(dataDir()))
             return "you're signed out — run /login to sign in before chatting";
         try {
             await tokenStore.get();

package/dist/providers/copilot/token.js

@@ -12,24 +12,33 @@ export class CopilotAuthError extends Error {
     }
 }
 export class CopilotTokenStore {
-    ghToken;
     fetchFn;
     nowMs;
     cached;
+    readGhToken;
+    // Accepts either a fixed token string or a provider that is re-read on each exchange. The provider
+    // form matters when the GitHub token can change or be momentarily unreadable: a captured-once null
+    // (e.g. from a transient locked-file read at construction) would otherwise poison the store for its
+    // whole lifetime, sending `authorization: token null` forever. Re-reading recovers on the next call.
     constructor(ghToken, fetchFn = fetch, nowMs = () => Date.now()) {
-        this.ghToken = ghToken;
         this.fetchFn = fetchFn;
         this.nowMs = nowMs;
+        this.readGhToken = typeof ghToken === "function" ? ghToken : () => ghToken;
     }
     async get() {
         const skewMs = 60_000;
         if (this.cached && this.cached.expiresAtMs - skewMs > this.nowMs())
             return this.cached.token;
+        const ghToken = this.readGhToken();
+        // No GitHub token (absent / unreadable on this read) is an auth failure, not a request with a
+        // literal "null" credential — surface it the same way an expired token would be.
+        if (!ghToken)
+            throw new CopilotAuthError(401);
         const ctrl = new AbortController();
         const timer = setTimeout(() => ctrl.abort(), 8000);
         let res;
         try {
-            res = await this.fetchFn(COPILOT_TOKEN_URL, { headers: { authorization: `token ${this.ghToken}`, accept: "application/json" }, signal: ctrl.signal });
+            res = await this.fetchFn(COPILOT_TOKEN_URL, { headers: { authorization: `token ${ghToken}`, accept: "application/json" }, signal: ctrl.signal });
         }
         finally {
             clearTimeout(timer);

package/dist/shared/crash-log.js

@@ -0,0 +1,28 @@
+import { appendFileSync, mkdirSync, renameSync, statSync } from "node:fs";
+import { join } from "node:path";
+import { dataDir } from "./paths.js";
+export const CRASH_LOG_NAME = "crash.log";
+// Cap the log so a high-frequency error source can't fill the disk: at the limit we roll the file to
+// `crash.log.1` (one generation kept) and start fresh. Sized small — this is a diagnostics tail, not
+// an archive.
+export const CRASH_LOG_MAX_BYTES = 1_000_000;
+function rollIfTooBig(path) {
+    try {
+        if (statSync(path).size >= CRASH_LOG_MAX_BYTES)
+            renameSync(path, `${path}.1`);
+    }
+    catch { /* file absent or stat/rename raced — nothing to roll */ }
+}
+// Append one diagnostics line to ~/.copilot-reverse/crash.log. Best-effort and never throws: logging
+// must never itself crash a backstop or a swallowed-error path. Rotates at CRASH_LOG_MAX_BYTES. The
+// dir is injectable for tests; production uses the real data dir.
+export function appendCrashLog(kind, err, dir = dataDir()) {
+    const detail = err instanceof Error ? `${err.message}\n${err.stack ?? ""}` : String(err);
+    try {
+        mkdirSync(dir, { recursive: true });
+        const path = join(dir, CRASH_LOG_NAME);
+        rollIfTooBig(path);
+        appendFileSync(path, `[${new Date().toISOString()}] ${kind}: ${detail}\n`);
+    }
+    catch { /* logging is best-effort */ }
+}

package/dist/shared/creds.js

@@ -10,7 +10,23 @@ export function writeGhToken(token, dir) {
 export function readGhToken(dir) {
     if (!existsSync(file(dir)))
         return null;
-    return JSON.parse(readFileSync(file(dir), "utf8")).ghToken ?? null;
+    // A corrupt creds.json (partial write) or a transient read failure (Windows EBUSY/EPERM when an
+    // antivirus or a concurrent /login write holds the file) must not throw: this is called from the
+    // 60s heartbeat tick whose rejection would otherwise reach the process top level and kill the TUI.
+    // Treat an unreadable file as "no token" — the next clean read recovers it.
+    try {
+        return JSON.parse(readFileSync(file(dir), "utf8")).ghToken ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+// Whether a stored-token file exists at all — distinct from readGhToken, which also returns null when
+// the file is present but momentarily unreadable. The "are you signed out?" gate wants existence (a
+// transient lock on a real login should not read as signed out); the actual token validity is checked
+// separately by exchanging it.
+export function hasGhTokenFile(dir) {
+    return existsSync(file(dir));
 }
 // Remove the stored token (logout). No-op if there's nothing to remove.
 export function clearGhToken(dir) {

package/dist/supervisor/api.js

@@ -15,9 +15,24 @@ export function createControlApp(deps) {
         res.setHeader("content-type", "text/event-stream");
         res.setHeader("cache-control", "no-cache");
         res.flushHeaders?.();
-        const send = (event, data) => res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`);
+        let off = () => { };
+        // Writing to a socket that died between broadcasts throws synchronously (ERR_STREAM_DESTROYED /
+        // EPIPE). emit() calls this on the worker-message path, so an uncaught throw would crash the
+        // in-process supervisor + TUI. Swallow the write error and unsubscribe — a dead connection should
+        // be dropped, not retried.
+        const send = (event, data) => {
+            try {
+                res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`);
+            }
+            catch {
+                off();
+            }
+        };
+        // Subscribe BEFORE the first write so that if the hello frame throws (socket already dead), the
+        // catch's off() refers to the real unsubscribe rather than the no-op default — otherwise a dead
+        // connection would stay subscribed until the next emit or 'close'.
+        off = deps.subscribe(send);
         send("hello", { state: deps.getState() });
-        const off = deps.subscribe(send);
         req.on("close", off);
     });
     return app;

package/dist/supervisor/events.js

@@ -1,6 +1,18 @@
 export class EventBus {
     listeners = new Set();
     subscribe(fn) { this.listeners.add(fn); return () => this.listeners.delete(fn); }
-    emit(event, data) { for (const fn of this.listeners)
-        fn(event, data); }
+    // Isolate each listener: a throwing subscriber (e.g. an SSE write to a socket that died between
+    // broadcasts) must not abort the broadcast to the others, nor escape to the process top level —
+    // emit() is called synchronously from worker-message handling, so an uncaught throw here would
+    // kill the in-process supervisor + TUI. A faulting listener is dropped so it isn't retried.
+    emit(event, data) {
+        for (const fn of this.listeners) {
+            try {
+                fn(event, data);
+            }
+            catch {
+                this.listeners.delete(fn);
+            }
+        }
+    }
 }

package/dist/supervisor/github-heartbeat.js

@@ -1,4 +1,5 @@
 import { probeGithubAuth } from "../providers/copilot/token.js";
+import { appendCrashLog } from "../shared/crash-log.js";
 // How often the supervisor re-checks the GitHub token. Token failure is rare (revoke / re-auth) and
 // GitHub rate-limits, so a slow cadence is plenty; an initial short delay populates the status soon
 // after boot without racing worker startup.
@@ -54,6 +55,14 @@ export class GithubHeartbeat {
                 return; // a late result after stop() must not resurrect the timer/state
             this.status = nextGithubStatus(this.status, Boolean(token), probe, this.now());
         }
+        catch (e) {
+            // Defense in depth: readToken()/probe() are not expected to throw (readGhToken returns null on a
+            // bad read, probeGithubAuth never throws), but the timer fires this as `void runOnce()` — an
+            // unhandled rejection here would kill the in-process supervisor + TUI. Keep the last-known status,
+            // but log it: a throw here means a real (unexpected) defect, and swallowing it silently would
+            // freeze the badge with no trace.
+            appendCrashLog("github-heartbeat", e);
+        }
         finally {
             this.inFlight = false;
         }

package/dist/version.js

@@ -1,2 +1,2 @@
 // AUTO-GENERATED by scripts/gen-version.mjs from package.json — do not edit.
-export const APP_VERSION = "0.5.0";
+export const APP_VERSION = "0.5.1";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "copilot-reverse",
-  "version": "0.5.0",
+  "version": "0.5.1",
   "description": "Interactive terminal app that exposes your GitHub Copilot subscription as local OpenAI- and Anthropic-compatible endpoints, with a self-healing daemon and a built-in assistant.",
   "type": "module",
   "license": "MIT",