copilot-reverse 0.5.0 → 0.5.2

package/dist/cli/index.js

@@ -10,7 +10,7 @@ import { probeSupervisor } from "../daemon/lifecycle.js";
 import { startSupervisor } from "../supervisor/index.js";
 import { runAssistantTurn } from "../tui/assistant/runtime.js";
 import { makeOnChat } from "../tui/assistant/on-chat.js";
-import { readGhToken, clearGhToken } from "../shared/creds.js";
+import { readGhToken, clearGhToken, hasGhTokenFile } from "../shared/creds.js";
 import { writeWebIqKey, readWebIqKey, clearWebIqKey, readWebSearchMode, writeWebSearchMode, resolveWebSearchBackend } from "../shared/webiq-key.js";
 import { readClientSetup, writeClientSetup } from "../shared/client-setup.js";
 import { readChatModel, writeChatModel } from "../shared/prefs.js";
@@ -24,13 +24,42 @@ import { claudeCopilotReverseEnv } from "../tui/setup/clients.js";
 import { dataDir } from "../shared/paths.js";
 import { defaultConfig } from "../shared/config.js";
 import { APP_VERSION } from "../version.js";
+import { appendCrashLog } from "../shared/crash-log.js";
 const delay = (ms) => new Promise((r) => setTimeout(r, ms));
 const DEFAULT_MODEL = "gpt-4o"; // a valid Copilot model id; pass-through routing uses it as-is
 // Conservative context budget that drives the assistant's auto-compaction. Sized below the
 // common Copilot prompt window (gpt-4o ≈ 128K) so the engine compacts before the upstream
 // rejects an over-long turn. TODO: read each model's real max_prompt_tokens from /models.
 const DEFAULT_MAX_INPUT_TOKENS = 110_000;
+// Process-level backstop. The TUI and the supervisor run in ONE process, so a stray throw or an
+// unhandled rejection anywhere (a dead SSE socket, a bad creds read, an SDK stream) would otherwise
+// terminate the whole app and drop the user back to the shell — especially on Node ≥15, where an
+// unhandled rejection is fatal by default. We log to a file (Ink owns stdout, so console writes would
+// corrupt the render) and keep running; the specific throw sites are also guarded at their source.
+//
+// uncaughtException is treated differently from unhandledRejection: Node documents the process as
+// being in an undefined state afterward, so swallowing it indefinitely risks spinning forever on a
+// recurring throw against corrupted state. A circuit breaker counts exceptions in a short window and
+// lets the process die once they storm, so a user/supervisor restart gets a clean process — while a
+// lone transient exception is still survived.
+const UNCAUGHT_STORM_COUNT = 5;
+const UNCAUGHT_STORM_WINDOW_MS = 10_000;
+function installProcessBackstop() {
+    process.on("unhandledRejection", (reason) => appendCrashLog("unhandledRejection", reason));
+    let recent = [];
+    process.on("uncaughtException", (err) => {
+        appendCrashLog("uncaughtException", err);
+        const now = Date.now();
+        recent = recent.filter((t) => now - t < UNCAUGHT_STORM_WINDOW_MS);
+        recent.push(now);
+        if (recent.length >= UNCAUGHT_STORM_COUNT) {
+            appendCrashLog("uncaughtException", `${UNCAUGHT_STORM_COUNT} exceptions within ${UNCAUGHT_STORM_WINDOW_MS}ms — exiting for a clean restart`);
+            process.exit(1);
+        }
+    });
+}
 async function launchTui() {
+    installProcessBackstop();
     const cfg = defaultConfig();
     const existingToken = readGhToken(dataDir());
     if (!existingToken) {
@@ -90,15 +119,19 @@ async function launchTui() {
         const { code, complete } = await beginDeviceLogin(dataDir());
         show([`Open ${code.verification_uri} and enter code: ${code.user_code}`, "waiting for authorization…"]);
         await complete();
-        // Re-point the token store at the freshly written GitHub token; the old store still holds the
-        // expired one and would 401 once its cached Copilot token rotates, breaking the model picker.
-        tokenStore = new CopilotTokenStore(readGhToken(dataDir()));
+        // Drop the cached Copilot token so the next get() does a fresh exchange with the just-written
+        // GitHub token (the store re-reads the token on each exchange, so a new instance isn't required —
+        // but resetting clears any Copilot token cached against the old login).
+        tokenStore = new CopilotTokenStore(() => readGhToken(dataDir()));
         await client.restart().catch(() => { });
         return ["GitHub authorization complete — worker restarting with the new token"];
     };
     // Filled in below once we have a token; the assistant prefers a model's real window over the default.
     const modelLimits = {};
-    let tokenStore = new CopilotTokenStore(readGhToken(dataDir()));
+    // Provider form: the store re-reads the GitHub token on each exchange, so a transient unreadable
+    // creds.json (Windows lock / partial write) can't poison the store for the session — it recovers on
+    // the next clean read, and a genuinely absent token surfaces as a 401 instead of a `token null` send.
+    let tokenStore = new CopilotTokenStore(() => readGhToken(dataDir()));
     const loadModels = async () => {
         const token = await tokenStore.get();
         const [ids, limits] = await Promise.all([fetchCopilotModels(token), fetchModelLimits(token)]);
@@ -137,7 +170,7 @@ async function launchTui() {
     // hangs until the turn timeout. Reuses the long-lived tokenStore so a valid login is a cached,
     // round-trip-free check between message bursts (its get() caches with a 60s skew).
     async () => {
-        if (!readGhToken(dataDir()))
+        if (!hasGhTokenFile(dataDir()))
             return "you're signed out — run /login to sign in before chatting";
         try {
             await tokenStore.get();

package/dist/providers/copilot/token.js

@@ -12,24 +12,33 @@ export class CopilotAuthError extends Error {
     }
 }
 export class CopilotTokenStore {
-    ghToken;
     fetchFn;
     nowMs;
     cached;
+    readGhToken;
+    // Accepts either a fixed token string or a provider that is re-read on each exchange. The provider
+    // form matters when the GitHub token can change or be momentarily unreadable: a captured-once null
+    // (e.g. from a transient locked-file read at construction) would otherwise poison the store for its
+    // whole lifetime, sending `authorization: token null` forever. Re-reading recovers on the next call.
     constructor(ghToken, fetchFn = fetch, nowMs = () => Date.now()) {
-        this.ghToken = ghToken;
         this.fetchFn = fetchFn;
         this.nowMs = nowMs;
+        this.readGhToken = typeof ghToken === "function" ? ghToken : () => ghToken;
     }
     async get() {
         const skewMs = 60_000;
         if (this.cached && this.cached.expiresAtMs - skewMs > this.nowMs())
             return this.cached.token;
+        const ghToken = this.readGhToken();
+        // No GitHub token (absent / unreadable on this read) is an auth failure, not a request with a
+        // literal "null" credential — surface it the same way an expired token would be.
+        if (!ghToken)
+            throw new CopilotAuthError(401);
         const ctrl = new AbortController();
         const timer = setTimeout(() => ctrl.abort(), 8000);
         let res;
         try {
-            res = await this.fetchFn(COPILOT_TOKEN_URL, { headers: { authorization: `token ${this.ghToken}`, accept: "application/json" }, signal: ctrl.signal });
+            res = await this.fetchFn(COPILOT_TOKEN_URL, { headers: { authorization: `token ${ghToken}`, accept: "application/json" }, signal: ctrl.signal });
         }
         finally {
             clearTimeout(timer);

package/dist/shared/config.js

@@ -3,7 +3,7 @@ export function defaultConfig() {
         bindHost: "127.0.0.1",
         supervisorPort: 7890,
         workerPort: 7891,
-        restart: { maxCrashes: 5, windowMs: 60_000, baseBackoffMs: 500, maxBackoffMs: 8_000 },
+        restart: { maxCrashes: 5, windowMs: 60_000, baseBackoffMs: 500, maxBackoffMs: 8_000, unhealthyCooldownMs: 30_000 },
         // Empty = pass the requested model straight through to Copilot. Add entries (or "*") to remap.
         modelMap: {},
         // Set MAESTRO_REPORT_REPO=owner/repo to override where /report files diagnostics issues.

package/dist/shared/crash-log.js

@@ -0,0 +1,28 @@
+import { appendFileSync, mkdirSync, renameSync, statSync } from "node:fs";
+import { join } from "node:path";
+import { dataDir } from "./paths.js";
+export const CRASH_LOG_NAME = "crash.log";
+// Cap the log so a high-frequency error source can't fill the disk: at the limit we roll the file to
+// `crash.log.1` (one generation kept) and start fresh. Sized small — this is a diagnostics tail, not
+// an archive.
+export const CRASH_LOG_MAX_BYTES = 1_000_000;
+function rollIfTooBig(path) {
+    try {
+        if (statSync(path).size >= CRASH_LOG_MAX_BYTES)
+            renameSync(path, `${path}.1`);
+    }
+    catch { /* file absent or stat/rename raced — nothing to roll */ }
+}
+// Append one diagnostics line to ~/.copilot-reverse/crash.log. Best-effort and never throws: logging
+// must never itself crash a backstop or a swallowed-error path. Rotates at CRASH_LOG_MAX_BYTES. The
+// dir is injectable for tests; production uses the real data dir.
+export function appendCrashLog(kind, err, dir = dataDir()) {
+    const detail = err instanceof Error ? `${err.message}\n${err.stack ?? ""}` : String(err);
+    try {
+        mkdirSync(dir, { recursive: true });
+        const path = join(dir, CRASH_LOG_NAME);
+        rollIfTooBig(path);
+        appendFileSync(path, `[${new Date().toISOString()}] ${kind}: ${detail}\n`);
+    }
+    catch { /* logging is best-effort */ }
+}

package/dist/shared/creds.js

@@ -10,7 +10,23 @@ export function writeGhToken(token, dir) {
 export function readGhToken(dir) {
     if (!existsSync(file(dir)))
         return null;
-    return JSON.parse(readFileSync(file(dir), "utf8")).ghToken ?? null;
+    // A corrupt creds.json (partial write) or a transient read failure (Windows EBUSY/EPERM when an
+    // antivirus or a concurrent /login write holds the file) must not throw: this is called from the
+    // 60s heartbeat tick whose rejection would otherwise reach the process top level and kill the TUI.
+    // Treat an unreadable file as "no token" — the next clean read recovers it.
+    try {
+        return JSON.parse(readFileSync(file(dir), "utf8")).ghToken ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+// Whether a stored-token file exists at all — distinct from readGhToken, which also returns null when
+// the file is present but momentarily unreadable. The "are you signed out?" gate wants existence (a
+// transient lock on a real login should not read as signed out); the actual token validity is checked
+// separately by exchanging it.
+export function hasGhTokenFile(dir) {
+    return existsSync(file(dir));
 }
 // Remove the stored token (logout). No-op if there's nothing to remove.
 export function clearGhToken(dir) {

package/dist/supervisor/api.js

@@ -15,9 +15,24 @@ export function createControlApp(deps) {
         res.setHeader("content-type", "text/event-stream");
         res.setHeader("cache-control", "no-cache");
         res.flushHeaders?.();
-        const send = (event, data) => res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`);
+        let off = () => { };
+        // Writing to a socket that died between broadcasts throws synchronously (ERR_STREAM_DESTROYED /
+        // EPIPE). emit() calls this on the worker-message path, so an uncaught throw would crash the
+        // in-process supervisor + TUI. Swallow the write error and unsubscribe — a dead connection should
+        // be dropped, not retried.
+        const send = (event, data) => {
+            try {
+                res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`);
+            }
+            catch {
+                off();
+            }
+        };
+        // Subscribe BEFORE the first write so that if the hello frame throws (socket already dead), the
+        // catch's off() refers to the real unsubscribe rather than the no-op default — otherwise a dead
+        // connection would stay subscribed until the next emit or 'close'.
+        off = deps.subscribe(send);
         send("hello", { state: deps.getState() });
-        const off = deps.subscribe(send);
         req.on("close", off);
     });
     return app;

package/dist/supervisor/events.js

@@ -1,6 +1,18 @@
 export class EventBus {
     listeners = new Set();
     subscribe(fn) { this.listeners.add(fn); return () => this.listeners.delete(fn); }
-    emit(event, data) { for (const fn of this.listeners)
-        fn(event, data); }
+    // Isolate each listener: a throwing subscriber (e.g. an SSE write to a socket that died between
+    // broadcasts) must not abort the broadcast to the others, nor escape to the process top level —
+    // emit() is called synchronously from worker-message handling, so an uncaught throw here would
+    // kill the in-process supervisor + TUI. A faulting listener is dropped so it isn't retried.
+    emit(event, data) {
+        for (const fn of this.listeners) {
+            try {
+                fn(event, data);
+            }
+            catch {
+                this.listeners.delete(fn);
+            }
+        }
+    }
 }

package/dist/supervisor/github-heartbeat.js

@@ -1,4 +1,5 @@
 import { probeGithubAuth } from "../providers/copilot/token.js";
+import { appendCrashLog } from "../shared/crash-log.js";
 // How often the supervisor re-checks the GitHub token. Token failure is rare (revoke / re-auth) and
 // GitHub rate-limits, so a slow cadence is plenty; an initial short delay populates the status soon
 // after boot without racing worker startup.
@@ -54,6 +55,14 @@ export class GithubHeartbeat {
                 return; // a late result after stop() must not resurrect the timer/state
             this.status = nextGithubStatus(this.status, Boolean(token), probe, this.now());
         }
+        catch (e) {
+            // Defense in depth: readToken()/probe() are not expected to throw (readGhToken returns null on a
+            // bad read, probeGithubAuth never throws), but the timer fires this as `void runOnce()` — an
+            // unhandled rejection here would kill the in-process supervisor + TUI. Keep the last-known status,
+            // but log it: a throw here means a real (unexpected) defect, and swallowing it silently would
+            // freeze the badge with no trace.
+            appendCrashLog("github-heartbeat", e);
+        }
         finally {
             this.inFlight = false;
         }

package/dist/supervisor/index.js

@@ -10,6 +10,7 @@ import { dataDir, dbPath } from "../shared/paths.js";
 import { readGhToken } from "../shared/creds.js";
 import { probeGithubAuth } from "../providers/copilot/token.js";
 import { GithubHeartbeat, SIGNED_OUT_DETAIL } from "./github-heartbeat.js";
+import { appendCrashLog } from "../shared/crash-log.js";
 export function startSupervisor() {
     const config = defaultConfig();
     mkdirSync(dataDir(), { recursive: true });
@@ -21,6 +22,9 @@ export function startSupervisor() {
         onStateChange: (s) => { state = s; bus.emit("state", { state: s }); },
         onCrash: (d, exitCode, stderrTail) => {
             recordRestart(db, { ts: Date.now(), reason: d.markedUnhealthy ? "unhealthy" : "crash", exitCode, stderrTail, backoffMs: d.backoffMs, markedUnhealthy: d.markedUnhealthy ? 1 : 0 });
+            // Also persist to crash.log so a worker crash is diagnosable post-mortem — the DB stderrTail can
+            // be empty if the worker died before flushing; this keeps whatever it did emit.
+            appendCrashLog("worker-crash", `exit=${exitCode} unhealthy=${d.markedUnhealthy} backoff=${d.backoffMs}ms\n${stderrTail || "(no stderr captured)"}`);
             bus.emit("crash", { exitCode, ...d });
         },
         onWorkerMessage: (m) => {

package/dist/supervisor/monitor.js

@@ -16,7 +16,7 @@ export class RestartController {
         const backoffMs = Math.min(this.policy.baseBackoffMs * 2 ** (this.consecutive - 1), this.policy.maxBackoffMs);
         return { backoffMs, markedUnhealthy: this.crashTimes.length >= this.policy.maxCrashes, crashesInWindow: this.crashTimes.length };
     }
-    reset() { this.consecutive = 0; }
+    reset() { this.consecutive = 0; this.crashTimes = []; }
 }
 export class WorkerMonitor {
     config;
@@ -58,7 +58,14 @@ export class WorkerMonitor {
             const d = this.controller.onCrash();
             this.hooks.onCrash(d, code, this.stderrTail);
             if (d.markedUnhealthy) {
+                // Don't give up forever: a transient crash burst (token rotation, a flaky upstream) shouldn't
+                // leave the daemon permanently dead. Mark unhealthy, then after a cooldown reset the window and
+                // try once more — recovering on its own if the cause has passed.
                 this.set("unhealthy");
+                setTimeout(() => { if (!this.stopped) {
+                    this.controller.reset();
+                    this.spawn();
+                } }, this.config.restart.unhealthyCooldownMs);
                 return;
             }
             this.set("crashed");

package/dist/version.js

@@ -1,2 +1,2 @@
 // AUTO-GENERATED by scripts/gen-version.mjs from package.json — do not edit.
-export const APP_VERSION = "0.5.0";
+export const APP_VERSION = "0.5.2";

package/dist/worker/index.js

@@ -9,8 +9,13 @@ import { makeGatewayRunner } from "../core/server-tools.js";
 import { borrowSearch } from "../providers/copilot/borrow-search.js";
 import { dataDir } from "../shared/paths.js";
 import { defaultConfig } from "../shared/config.js";
-function send(msg) { if (process.send)
-    process.send(msg); }
+// Sending after the parent tore down the IPC channel throws ERR_IPC_CHANNEL_CLOSED; guard it so a
+// crash-time report can't itself become a second, masking crash.
+function send(msg) { try {
+    if (process.connected)
+        process.send?.(msg);
+}
+catch { /* channel gone */ } }
 const cfg = defaultConfig();
 const port = Number(process.env.WORKER_PORT ?? cfg.workerPort);
 const host = process.env.BIND_HOST ?? cfg.bindHost;
@@ -47,4 +52,18 @@ process.on("message", (m) => { if (m?.type === "shutdown") {
     clearInterval(hb);
     server.close(() => process.exit(0));
 } });
-process.on("uncaughtException", (e) => { send({ type: "error", message: e.message, stack: e.stack }); process.exit(1); });
+// Crash diagnostics: write to STDERR FIRST so the supervisor's stderr capture (and crash.log) records
+// the reason even when the IPC channel is already gone; the IPC send is a best-effort extra. Without
+// the unhandledRejection handler, a stray floating rejection silently kills the worker on Node ≥15 —
+// the exact "exit 1, empty stderr" crash loop we kept seeing.
+function fatal(kind, e) {
+    const detail = e instanceof Error ? `${e.message}\n${e.stack ?? ""}` : String(e);
+    try {
+        process.stderr.write(`worker ${kind}: ${detail}\n`);
+    }
+    catch { /* nothing more we can do */ }
+    send({ type: "error", message: e instanceof Error ? e.message : String(e), stack: e instanceof Error ? e.stack : undefined });
+    process.exit(1);
+}
+process.on("uncaughtException", (e) => fatal("uncaughtException", e));
+process.on("unhandledRejection", (e) => fatal("unhandledRejection", e));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "copilot-reverse",
-  "version": "0.5.0",
+  "version": "0.5.2",
   "description": "Interactive terminal app that exposes your GitHub Copilot subscription as local OpenAI- and Anthropic-compatible endpoints, with a self-healing daemon and a built-in assistant.",
   "type": "module",
   "license": "MIT",