instar 1.3.568 → 1.3.570

package/dist/commands/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/commands/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAkCH,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAS3D,OAAO,EAAE,eAAe,EAAiC,MAAM,iCAAiC,CAAC;AAuBjG,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAGvD,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAkH7D,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAsBtD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,yBAAyB,CACvC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,gBAAgB,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAC1C,OAAO,CAUT;AAyID,UAAU,YAAY;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;2DACuD;IACvD,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAg4CD,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,eAAe,EACzB,cAAc,EAAE,cAAc,EAC9B,YAAY,CAAC,EAAE,YAAY,EAC3B,WAAW,CAAC,EAAE,WAAW,EACzB,WAAW,CAAC,EAAE,WAAW,EACzB,iBAAiB,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,EAGvE,UAAU,CAAC,EAAE,MAAM,OAAO,8BAA8B,EAAE,WAAW,GAAG,IAAI,EAK5E,qBAAqB,CAAC,EAAE,MAAM,OAAO,gCAAgC,EAAE,kBAAkB,GAAG,IAAI,EAKhG,mBAAmB,CAAC,EAAE,MAAM,MAAM,GAAG,IAAI,GAAG,SAAS,GACpD,IAAI,CA8eN;AA2lBD,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAshctE;AAED,wBAAsB,UAAU,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAsDzE;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuD5E"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/commands/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAkCH,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAS3D,OAAO,EAAE,eAAe,EAAiC,MAAM,iCAAiC,CAAC;AAuBjG,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAGvD,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAkH7D,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAsBtD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,yBAAyB,CACvC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,gBAAgB,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAC1C,OAAO,CAUT;AAyID,UAAU,YAAY;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;2DACuD;IACvD,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAg4CD,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,eAAe,EACzB,cAAc,EAAE,cAAc,EAC9B,YAAY,CAAC,EAAE,YAAY,EAC3B,WAAW,CAAC,EAAE,WAAW,EACzB,WAAW,CAAC,EAAE,WAAW,EACzB,iBAAiB,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,EAGvE,UAAU,CAAC,EAAE,MAAM,OAAO,8BAA8B,EAAE,WAAW,GAAG,IAAI,EAK5E,qBAAqB,CAAC,EAAE,MAAM,OAAO,gCAAgC,EAAE,kBAAkB,GAAG,IAAI,EAKhG,mBAAmB,CAAC,EAAE,MAAM,MAAM,GAAG,IAAI,GAAG,SAAS,GACpD,IAAI,CA8eN;AA2lBD,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA8/btE;AAED,wBAAsB,UAAU,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAsDzE;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuD5E"}

package/dist/commands/server.js

@@ -15,7 +15,7 @@ import { fileURLToPath } from 'node:url';
 import pc from 'picocolors';
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 import { loadConfig, ensureStateDir, detectTmuxPath, detectGeminiPath } from '../core/Config.js';
-import { isNonFatalUncaught, shouldLogStackForUncaught } from '../core/uncaughtExceptionPolicy.js';
+import { handleProcessLevelError } from '../core/uncaughtExceptionPolicy.js';
 import { resolveDevAgentGate, resolveStateSyncStores } from '../core/devAgentGate.js';
 import { parseProfileTrigger, platformMessageIdFrom } from '../core/topicProfileIngress.js';
 import { slugifyChannelName } from '../messaging/slack/sanitize.js';
@@ -15405,31 +15405,17 @@ export async function startServer(options) {
                         fetchPeerCapacity: async (machineId, url) => {
                             const res = await meshClient.send({ machineId, url }, { type: 'session-status' }, 0);
                             if (res.ok && res.result && typeof res.result === 'object') {
-                                const cap = res.result;
-                                const journalAdvert = _unwrapPeerJournalAdvert(machineId, cap.journalAdvert);
-                                // #930 sibling (live, v1.3.369): the commitments advert was
-                                // parsed AWAY here — served by the peer, dropped by this
-                                // narrowing return — so driveCommitmentsSync never fired and
-                                // zero replicas ever landed. Pass it through.
-                                // A2 (live, v1.3.384): the SAME narrowing also dropped the
-                                // peer's quotaState (its getCapacity(self) includes it), so the
-                                // router only ever saw its OWN quota and quota-aware placement
-                                // (#804) could never avoid a rate-limited PEER — the original
-                                // EXO failure. Pass it through too. Absent = not blocked.
-                                return {
-                                    selfReportedLastSeen: cap.selfReportedLastSeen,
-                                    loadAvg: cap.loadAvg,
-                                    journalAdvert,
-                                    ...(cap.commitmentsAdvert ? { commitmentsAdvert: cap.commitmentsAdvert } : {}),
-                                    // §WS2.1 sibling pass-through (the #930/A2 narrowing lesson): the
-                                    // peer's preferences advert is served but would be dropped here
-                                    // without this, so drivePreferencesSync would never fire.
-                                    ...(cap.preferencesAdvert ? { preferencesAdvert: cap.preferencesAdvert } : {}),
-                                    ...(cap.quotaState ? { quotaState: cap.quotaState } : {}),
-                                    // Guard posture rides the same pass-through (the A2 narrowing
-                                    // lesson): dropping it here would blind the pool to peers' posture.
-                                    ...(cap.guardPosture ? { guardPosture: cap.guardPosture } : {}),
-                                };
+                                // The journal advert is the one slice that needs closure context
+                                // (the machine-id-keyed unwrap), so it is computed HERE; the rest
+                                // of the narrowing — commitmentsAdvert (#930), quotaState (A2/#804),
+                                // preferencesAdvert (WS2.1), guardPosture, and seamlessnessFlags
+                                // (THIS fix, the 4th instance of the narrowing-return-forgets-a-field
+                                // class) — is the SINGLE shared `narrowSessionStatusToPeerCapacity`
+                                // pass-through that the peer-presence round-trip test also runs, so
+                                // the test proves the REAL mapping and a forgotten field can't recur
+                                // silently (the wiring-integrity ratchet asserts over this helper).
+                                const journalAdvert = _unwrapPeerJournalAdvert(machineId, res.result.journalAdvert);
+                                return presenceMod.narrowSessionStatusToPeerCapacity(res.result, journalAdvert);
                             }
                             return null;
                         },
@@ -16553,31 +16539,25 @@ export async function startServer(options) {
         // (e.g., cloudflared crash cascade during sleep/wake), close databases to prevent
         // the "mutex lock failed" error on next start. This doesn't prevent the crash,
         // but ensures the next boot is clean.
+        // Route BOTH process-level error events through one shared decision
+        // (uncaughtExceptionPolicy.handleProcessLevelError) so they cannot drift to
+        // divergent policies: one narrow allowlist (HTTP double-response races, the
+        // Slack Socket Mode reconnect race, standby read-only writes), one
+        // fail-toward-crash default, one dedup'd log path. Isolated/recoverable
+        // errors log-and-continue; anything unknown closes ALL registered SQLite
+        // handles (so the crash exit doesn't compound into a "mutex lock failed"
+        // SIGABRT) and exits — net #2 respawns a clean process in ~10s.
+        //
+        // The unhandledRejection handler is essential, not optional: the Slack
+        // 'message' listener calls the async _handleRawMessage, so an escaping throw
+        // there surfaces as a REJECTION, not a sync exception (net #1). Cleanup is
+        // injected so the policy module stays pure decision-logic.
+        const onFatalCleanup = () => { closeAllSqlite(); };
         process.on('uncaughtException', (err) => {
-            // Isolated, recoverable uncaught exceptions — log and continue, don't
-            // crash the server (which would close its databases + drop in-flight
-            // work). See isNonFatalUncaught for the allowlist + rationale (HTTP
-            // double-response races, Slack Socket Mode reconnect races).
-            if (isNonFatalUncaught(err)) {
-                // Attach the stack the first time a given origin is seen so the offending
-                // call site (e.g. a route that double-responds → "Cannot set headers")
-                // is diagnosable; repeats log message-only to avoid flooding the log
-                // (these isolated races recur ~10-20x/hour).
-                const stackSuffix = shouldLogStackForUncaught(err) && err.stack
-                    ? `\n  first-seen stack (for diagnosis):\n${err.stack}`
-                    : '';
-                console.warn(`[WARN] Non-fatal uncaught exception (suppressed): ${err.message}${stackSuffix}`);
-                return; // Don't crash — the server is fine
-            }
-            console.error('[FATAL] Uncaught exception — closing databases before crash:', err.message);
-            // Close ALL registered SQLite handles (not just topic/semantic memory) so
-            // the crash exit doesn't compound into a "mutex lock failed" SIGABRT on top
-            // of the original error. closeAllSqlite() is best-effort + idempotent.
-            try {
-                closeAllSqlite();
-            }
-            catch { /* best effort */ }
-            process.exit(1);
+            handleProcessLevelError(err, 'uncaughtException', { onFatalCleanup });
+        });
+        process.on('unhandledRejection', (reason) => {
+            handleProcessLevelError(reason, 'unhandledRejection', { onFatalCleanup });
         });
         // Wire the ForegroundRestartWatcher to the graceful shutdown function.
         // This ensures auto-update restarts close all resources (especially SQLite