nexus-fca 2.1.7 → 2.1.10

package/CHANGELOG.md

@@ -1,5 +1,52 @@
 # Changelog
 
+## [2.1.10] - 2025-09-08 - Publish Meta Bump
+### Changed
+- Fixed Major Problems found in 2.1.9 and Its the last version of 2.1.xxx
+
+### Notes
+- 2.1.8 And 2.1.10 is the most stable verion!
+
+---
+
+## [2.1.9] - 2025-09-08 - Advanced Stability Prep
+### Added
+- Dynamic risk-tier tuning: heartbeat interval, backoff delay, spacing guard adjust automatically on risk changes.
+- Adaptive outbound pacing: micro-delays after heavy maintenance (refresh/reconnect) to reduce burst patterns (2m adaptive window).
+
+### Changed
+- Reconnect backoff now computed via risk-aware curve (faster recovery in high risk, quieter in low risk).
+
+### Notes
+- Optional, transparent; no API break. Can expose stats later via planned getSafetyTimingStats.
+
+---
+
+## [2.1.8] - 2025-09-08 - Safety Consolidation & Collision Guard
+### Added
+- Unified safety orchestrator (single module coordinates safe refresh, light poke, periodic recycle) with timer registry and structured teardown.
+- Collision spacing guard (45m) preventing clustered token operations (refresh/poke/recycle).
+- Recycle suppression logic (defers 20–30m if a refresh/poke occurred inside spacing window).
+- Light poke integration moved inside `FacebookSafety.scheduleLightPoke()` (duplicate inline scheduling removed).
+- Deprecation warning emitted when legacy `FacebookSafetyManager` is instantiated.
+
+### Changed
+- Removed duplicate mid-session poke timer from `index.js`.
+- Safe refresh participates in collision guard and spacing tracking (`_lastRefreshTs`).
+- Periodic recycle respects `_minSpacingMs` and defers if necessary.
+
+### Improved
+- Lower probability of rapid successive token / connection maintenance clustering.
+- Simplified lifecycle cleanup through timer registry.
+
+### Deprecated
+- `FacebookSafetyManager` (legacy) – retained for backward compatibility only.
+
+### Notes
+- No public API break; users should remove custom light poke timers.
+
+---
+
 ## [2.1.7] - 2025-09-01 - Session Stability Patch
 ### Added
 - User-Agent continuity (anchored single UA for entire session via safety module; eliminates mid-session UA drift increasing 20–22h expiry risk).
@@ -118,7 +165,6 @@ Stability-focused release improving long‑running bot sessions, reducing false
 ### Changed
 - 🔁 `listenMqtt` now performs silent initial validation; only emits `not_logged_in` after a confirmatory retry
 - 🧠 `parseAndCheckLogin` now robustly handles 3xx chains & HTML login fallback pages
-- 🔐 Default behavior: device identity no longer rotates unless explicitly overridden
 - 🧩 Refactored internal cookie & session utilities (centralized in `utils.js`)
 - 📄 Rewritten documentation (README, DOCS, CHANGELOG) for concise modern onboarding
 

package/README.md

@@ -1,7 +1,12 @@
-# Nexus-FCA v2.1.7
+# Nexus-FCA v2.1.10
+<!-- 2.1.10 Safety Consolidation -->
+>Fixed Major Problems found in 2.1.9 and Its the last version of 2.1.xxx
+
+<!-- 2.1.9 Safety Consolidation -->
+> New in 2.1.9: Safety Consolidation & Collision Guard – unified safety orchestrator (single scheduler for safe refresh, light poke, periodic recycle) + 45m spacing guard (prevents clustered token actions), timer registry cleanup, recycle suppression after recent refresh, deprecates legacy FacebookSafetyManager.
 
 <!-- 2.1.7 Session Stability Patch -->
-> New in 2.1.7: Session Stability Patch – anchored User-Agent continuity (eliminates 20–22h silent expiry pattern), lightweight mid‑session token poke (6h ±40m) + existing adaptive safeRefresh, retains ultra‑low ban profile.
+> 2.1.7: Session Stability Patch – anchored User-Agent continuity (eliminates 20–22h silent expiry pattern), lightweight mid‑session token poke (6h ±40m randomized) + existing adaptive safeRefresh, retains ultra‑low ban profile.
 
 <!-- 2.1.6 Memory Guard -->
 > 2.1.6: Memory Guard & Queue Sweeping – bounded group queues, pending edit TTL sweeper, memory metrics exporter.
@@ -21,16 +26,17 @@
 - 🔐 Integrated secure login system (username/password + TOTP 2FA) → auto appstate
 - 🛡️ Ultra-low ban rate design (human timing, safety limiter, anchored UA, risk heuristics)
 - 🔄 Resilient MQTT listener (adaptive backoff + idle / ghost detection + periodic recycle)
-- ♻️ Session continuity: anchored UA + adaptive safe refresh + lightweight mid-session poke
+- ♻️ Session continuity: anchored UA + adaptive safe refresh + integrated lightweight mid-session poke
 - 🧠 Smart session validation (lazy preflight, multi-endpoint retry, reduced false logouts)
 - 📊 Live health & memory metrics (`api.getHealthMetrics()`, `api.getMemoryMetrics()`)
 - 🧾 Type definitions (`index.d.ts`) & modern Promise / callback API
 - 🧩 Modular architecture (safety, performance, error, mqtt managers)
 
 ---
-## 🚀 Recent Stability Enhancements (2.1.7 / 2.1.6 / 2.1.5)
+## 🚀 Recent Stability Enhancements (2.1.8 / 2.1.7 / 2.1.6 / 2.1.5)
 | Version | Focus | Key Additions |
 |---------|-------|---------------|
+| 2.1.8 | Safety Consolidation | Unified orchestrator, collision spacing (45m), timer registry, recycle suppression, legacy manager deprecated |
 | 2.1.7 | Session Longevity | UA continuity anchor, lightweight token poke, removal of mid-login UA drift |
 | 2.1.6 | Memory Safety | Group queue idle purge + overflow trim, pendingEdits TTL sweeper, memory guard metrics |
 | 2.1.5 | Edit Reliability | PendingEdits buffer (cap+TTL), ACK watchdog, resend limits, p95 ACK latency |
@@ -38,8 +44,8 @@
 ### Why UA Continuity Matters
 Previously, dual-phase login could swap user agents (mobile → desktop) causing server-side heuristic expiry near 20–22h. Anchoring a single UA eliminates the inconsistent device fingerprint pattern and extends stable runtime under identical safety posture.
 
-### Lightweight Mid-Session Poke
-A subtle `fb_dtsg` refresh every ~6h ±40m (in addition to adaptive risk-based safeRefresh) keeps tokens warm without aggressive churn, lowering validation friction while avoiding noisy traffic patterns.
+### Lightweight Mid-Session Poke (Integrated)
+Originally introduced in 2.1.7, now centrally scheduled inside the unified safety orchestrator (no duplicate inline timers). A subtle `fb_dtsg` refresh every ~6h (±40m randomized, alongside adaptive risk-based safe refresh) keeps tokens warm without aggressive churn while avoiding noisy traffic patterns. Collision guard ensures it never triggers too close to a full safe refresh or periodic recycle.
 
 ---
 ## 🧪 Key API Additions
@@ -69,6 +75,7 @@ setInterval(() => {
 3. Avoid changing UA manually; continuity is automatic post‑2.1.7.
 4. Inspect health metrics before manually forcing reconnects.
 5. Let adaptive backoff handle transient network instability.
+6. Avoid using deprecated `FacebookSafetyManager`; the consolidated safety layer activates automatically when `login()` resolves.
 
 ---
 ## ⚡ Quick Start (Appstate)
@@ -103,18 +110,22 @@ const login = require('nexus-fca');
 ```
 
 ---
-## 🛡️ Safety Layer (Updated)
+## 🛡️ Safety Layer (Updated 2.1.8)
 | Feature | Benefit |
 |---------|---------|
 | Anchored User-Agent | Eliminates fingerprint drift (prevents 20–22h expiry) |
-| Adaptive Safe Refresh | Risk‑sensitive token renewal bands |
-| Lightweight Token Poke | Quiet longevity without churn |
+| Unified Orchestrator | Single scheduler for refresh, light poke, recycle (no overlap clashes) |
+| Adaptive Safe Refresh | Risk‑sensitive token renewal bands (multi‑hour low risk, shorter high risk) |
+| Lightweight Token Poke | Quiet longevity without churn (integrated + collision guarded) |
 | Idle / Ghost Detection | Auto probe + reconnect on silent stalls |
-| Periodic Recycle | 6h ± jitter connection rejuvenation |
+| Periodic Recycle | ~6h (±30m) randomized connection rejuvenation (suppressed if recent refresh) |
 | Persistent Device Profile | Fewer checkpoints / trust continuity |
 | Lazy Preflight | Skips heavy validation when recently healthy |
 | Human-like Timing | Reduces automation signal surface |
 
+### Consolidation / Collision Guard (2.1.8)
+The unified safety module keeps a registry of all scheduled timers (safe refresh, light poke, post-refresh health checks, periodic recycle) and enforces a minimum 45 minute spacing window so heavy or light token actions never cluster. Legacy `FacebookSafetyManager` now only emits a deprecation warning and should not be instantiated going forward.
+
 Disable preflight if needed:
 ```js
 await login({ appState }, { disablePreflight: true });
@@ -216,7 +227,7 @@ const login = require('nexus-fca');
 ## 📚 Documentation
 - Full API reference: `DOCS.md`
 - Per-feature guides: `/docs/*.md`
-- Safety: `docs/account-safety.md`
+- Safety: `docs/account-safety.md` (unified orchestrator & deprecation note)
 - Examples: `/examples`
 
 ---
@@ -224,6 +235,7 @@ const login = require('nexus-fca');
 | Change | Action |
 |--------|--------|
 | UA Continuity (2.1.7) | No action; auto applied |
+| Safety Consolidation (2.1.8) | Remove any manual timers/light poke code – handled internally |
 | Memory Guard (2.1.6) | Inspect `api.getMemoryMetrics()` periodically |
 | PendingEdits (2.1.5) | Tune via `api.setEditOptions()` if needed |
 | Lazy Preflight | Optionally disable when embedding in other frameworks |

package/docs/account-safety.md

@@ -11,6 +11,8 @@ Nexus-FCA Ultra-Safe Edition is designed to minimize Facebook account ban, lock,
 - **Proactive Safety Alerts:** If a risk is detected (lock, checkpoint, block), the bot will pause or stop to prevent further issues
 - **Session & Token Management:** Automatic session validation and safe token refresh keep your login secure
 - **Region & Connection Protection:** Advanced region bypass and safe reconnection logic avoid suspicious activity triggers
+- **Unified Safety Orchestrator (2.1.8+):** Single scheduler coordinates safe refresh, light poke (~6h ±40m), and periodic recycle (~6h ±30m) with collision spacing (45m) to prevent clustered token actions
+- **Ghost / Idle Detection:** Soft-stale probing (2m30s) and ghost recovery before full disconnect patterns emerge
 
 ---
 
@@ -24,6 +26,7 @@ Nexus-FCA Ultra-Safe Edition is designed to minimize Facebook account ban, lock,
   - Always use cookies less than 7 days old for best results
 - **Monitor Risk Level:**
   - Listen for `riskLevelHigh`, `accountLocked`, `checkpointRequired` events and take action if triggered
+- **Avoid Deprecated Manager:** Do not instantiate `FacebookSafetyManager` (legacy); consolidated `FacebookSafety` handles everything automatically.
 
 ---
 
@@ -34,6 +37,8 @@ Nexus-FCA Ultra-Safe Edition is designed to minimize Facebook account ban, lock,
 - **Update your appstate.json regularly**
 - **Monitor your Facebook account for security notifications**
 - **If you see a checkpoint or lock, stop the bot and verify your account manually**
+- **Do not schedule custom token poke timers; built‑in orchestrator already manages safe refresh cadence & spacing**
+- **Keep `persistent-device.json` stable—don’t delete unless forced by actual session invalidation**
 
 ---
 
@@ -55,6 +60,13 @@ client.login({ appState: require('./appstate.json') });
 - `checkpointRequired` — Facebook requires manual verification
 - `riskLevelHigh` — High risk detected, bot will increase delays and reduce activity
 - `sessionExpired` — Session expired, update your appstate.json
+- `safeRefresh` — Safe token refresh attempted (payload includes success/failure, duration)
+- `lightPoke` — Lightweight fb_dtsg keep-alive executed
+- `mqttReconnect` — Reconnect cycle triggered (reason + attempt)
+- `heartbeat` — Periodic keepalive ping succeeded
+
+### Event Spacing (2.1.8+)
+The orchestrator enforces a minimum spacing window (~45m) between maintenance actions (refresh, recycle, light poke). If a recycle is scheduled too soon after a refresh/poke it defers 20–30m automatically to avoid clustering patterns.
 
 ---
 
@@ -66,7 +78,16 @@ client.login({ appState: require('./appstate.json') });
 > Stop the bot immediately, log in to Facebook manually, and follow the verification steps. Only restart the bot after your account is fully restored.
 
 **Q: How often should I update my appstate.json?**
-> At least once a week, or whenever you see a session expired or checkpoint event.
+> At least once a week, or whenever you see a session expired or checkpoint event (less often if persistent device + long stable runs).
+
+**Q: How often are tokens refreshed now?**
+> Adaptive. Low risk uses multi‑hour windows; high risk shortens interval. Lightweight mid-session poke (~6h ±40m) and periodic recycle (~6h ±30m) are collision‑guarded with 45m spacing.
+
+**Q: Do I need to keep my own refresh timers?**
+> No. Remove custom refresh/poke loops—duplication increases clustering risk.
+
+**Q: Is legacy `FacebookSafetyManager` still required?**
+> No. It is deprecated and only logs a warning if used. Migrate entirely to the integrated safety layer (automatic on login).
 
 ---
 

package/index.js

@@ -296,6 +296,15 @@ function buildAPI(globalOptions, html, jar) {
       api[v.replace(".js", "")] = require("./src/" + v)(defaultFuncs, api, ctx);
     });
   api.listen = api.listenMqtt;
+  // Adaptive outbound pacing wrapper (dynamic risk + post-maintenance window)
+  if (!api._adaptivePacingWrapped && typeof api.sendMessage === 'function') {
+    const _origSend = api.sendMessage;
+    api.sendMessage = async function(message, threadID, callback){
+      try { if (globalSafety && typeof globalSafety.applyAdaptiveSendDelay === 'function') await globalSafety.applyAdaptiveSendDelay(); } catch(_) {}
+      return _origSend(message, threadID, callback);
+    };
+    api._adaptivePacingWrapped = true;
+  }
   // Safety wrapper: ensure every inbound MQTT event updates safety lastEvent timestamp
   if (!api._safetyWrappedListen) {
     const _origListen = api.listenMqtt;
@@ -505,21 +514,10 @@ function loginHelper(appState, email, password, globalOptions, callback, prCallb
       logger('✅ Session authenticated successfully', 'info');
       // Initialize safety monitoring
       globalSafety.startMonitoring(ctx, api);
-      // Schedule mid-session lightweight token poke (~ every 6h ±40m) to keep cookies warm
-      if(!globalOptions._lightRefreshTimer){
-        const scheduleLight = () => {
-          const base = 6 * 60 * 60 * 1000; // 6h
-          const jitter = (Math.random()*80 - 40) * 60 * 1000; // ±40m
-            globalOptions._lightRefreshTimer = setTimeout(async () => {
-              try {
-                if(api && typeof api.refreshFb_dtsg === 'function'){
-                  await api.refreshFb_dtsg().catch(()=>{});
-                }
-              } catch(_) {}
-              scheduleLight();
-            }, base + jitter);
-        };
-        scheduleLight();
+  try { globalSafety.startDynamicSystems(); } catch(_) {}
+      // Consolidated: delegate light poke to unified safety module (prevents duplicate refresh scheduling)
+      if (globalSafety && typeof globalSafety.scheduleLightPoke === 'function') {
+        globalSafety.scheduleLightPoke();
       }
       // Post-login identity banner
       try {

package/lib/safety/FacebookSafety.js

@@ -76,6 +76,17 @@ class FacebookSafety {
         this._ghostChecking = false;
         // Periodic recycle timer
         this._periodicRecycleTimer = null;
+    // Consolidation additions
+    this._lastRefreshTs = 0; // track last successful refresh-like action
+    this._lastRecycleTs = 0;
+    this._lastLightPokeTs = 0;
+    this._timerRegistry = new Set();
+    this._minSpacingMs = 45 * 60 * 1000; // 45m guard between heavy/light actions
+    // Adaptive pacing + dynamic tuning additions
+    this._lastHeavyMaintenanceTs = 0; // last refresh OR successful reconnect
+    this._adaptivePacingWindowMs = 2 * 60 * 1000; // apply outbound pacing first 2m after heavy maintenance
+    this._dynamicHeartbeatTimer = null; // replaces fixed interval heartbeat for risk-tier tuning
+    this._riskLast = 'low';
 
         this.initSafety();
     }
@@ -268,19 +279,26 @@ class FacebookSafety {
             clearTimeout(this._safeRefreshTimer);
             this._safeRefreshTimer = null;
         }
-        // Stealth+Resilient profile refresh policy:
-        // risk low: 50-60m, medium: 40-50m, high: 25-35m (random inside band)
+        // USER REQUEST: widen refresh window to random 3–5 hours (stealth longevity)
+        // Previous risk-tier windows (25–60m) replaced per instruction.
         const schedule = () => {
             if (this._destroyed) return;
-            let minM, maxM;
-            if (this.sessionMetrics.riskLevel === 'high') { minM = 25; maxM = 35; }
-            else if (this.sessionMetrics.riskLevel === 'medium') { minM = 40; maxM = 50; }
-            else { minM = 50; maxM = 60; }
-            const interval = (minM * 60 * 1000) + Math.random() * ((maxM - minM) * 60 * 1000);
-            this._safeRefreshTimer = setTimeout(async () => {
+            // Base window 3h–5h. If risk escalates HIGH, clamp to 1h–1.5h for safety.
+            let minMs, maxMs;
+            if (this.sessionMetrics.riskLevel === 'high') {
+                minMs = 60 * 60 * 1000;          // 1h
+                maxMs = 90 * 60 * 1000;          // 1.5h
+            } else {
+                minMs = 3 * 60 * 60 * 1000;      // 3h
+                maxMs = 5 * 60 * 60 * 1000;      // 5h
+            }
+            const interval = minMs + Math.random() * (maxMs - minMs);
+            const t = setTimeout(async () => {
                 await this.refreshSafeSession();
                 schedule();
             }, interval);
+            this._registerTimer(t);
+            this._safeRefreshTimer = t;
         };
         schedule();
     }
@@ -300,13 +318,17 @@ class FacebookSafety {
     updateRiskLevel() {
         const timeSinceLastActivity = Date.now() - this.sessionMetrics.lastActivity;
         const errorRate = this.sessionMetrics.errorCount / Math.max(1, this.sessionMetrics.requestCount);
-
+        let next;
         if (errorRate > 0.3 || timeSinceLastActivity < 1000) {
-            this.sessionMetrics.riskLevel = 'high';
+            next = 'high';
         } else if (errorRate > 0.1 || timeSinceLastActivity < 5000) {
-            this.sessionMetrics.riskLevel = 'medium';
+            next = 'medium';
         } else {
-            this.sessionMetrics.riskLevel = 'low';
+            next = 'low';
+        }
+        if (next !== this.sessionMetrics.riskLevel) {
+            this.sessionMetrics.riskLevel = next;
+            this._onRiskLevelChanged(next);
         }
     }
 
@@ -366,10 +388,7 @@ class FacebookSafety {
             const now = Date.now();
             if (now < this._backoff.next) { return; }
             const attempt = ++this._backoff.attempt;
-            // Stealth backoff: 1.2s * 1.8^n capped ~20s, add jitter 0-500ms
-            const baseDelay = Math.min(20000, 1200 * Math.pow(1.8, Math.min(attempt, 6)));
-            const jitter = Math.random() * 500;
-            const delay = baseDelay + jitter;
+            const delay = this._computeBackoffDelay(attempt);
             this._backoff.next = now + delay;
             await new Promise(r => setTimeout(r, delay));
             if (this._activeListenerStop && typeof this._activeListenerStop === 'function') { try { this._activeListenerStop(); } catch(_) {} }
@@ -377,6 +396,7 @@ class FacebookSafety {
                 const stop = this.api.listenMqtt((err, event) => { if (!err && event) this.recordEvent(); });
                 this._activeListenerStop = stop;
                 this.safetyEmit('mqttReconnect', { success: true, reason, attempt, delay });
+                this._markHeavyMaintenance();
             }
             setTimeout(() => {
                 if (this.ctx && this.ctx.mqttClient && this.ctx.mqttClient.connected) { this._backoff.attempt = 0; }
@@ -400,11 +420,22 @@ class FacebookSafety {
         const base = 6 * 60 * 60 * 1000; // 6h
         const jitter = (Math.random() * 60 - 30) * 60 * 1000; // ±30m
         const delay = base + jitter;
-        this._periodicRecycleTimer = setTimeout(() => {
+        const t = setTimeout(() => {
             if (this._destroyed) return;
+            // Suppress recycle if a refresh/poke just happened inside spacing window
+            if (Date.now() - this._lastRefreshTs < this._minSpacingMs) {
+                // reschedule shorter backoff (add 20m) to avoid clustering
+                const defer = 20 * 60 * 1000 + Math.random() * 10 * 60 * 1000; // 20–30m
+                const dt = setTimeout(()=> this._schedulePeriodicRecycle(), defer);
+                this._registerTimer(dt);
+                return;
+            }
+            this._lastRecycleTs = Date.now();
             this.forceReconnect('periodic');
             this._schedulePeriodicRecycle();
         }, delay);
+        this._registerTimer(t);
+        this._periodicRecycleTimer = t;
     }
 
     // Heartbeat ping & watchdog
@@ -499,6 +530,10 @@ class FacebookSafety {
     async refreshSafeSession() {
         // Improved safe session refresh implementation
         if (this._refreshing) return; // prevent concurrent refreshes
+        // Collision guard – skip if a refresh/poke happened very recently
+        if (Date.now() - this._lastRefreshTs < this._minSpacingMs / 2) {
+            return;
+        }
         this._refreshing = true;
         const refreshId = ++this._inFlightRefreshId;
         const startedAt = Date.now();
@@ -527,6 +562,8 @@ class FacebookSafety {
                 durationMs: Date.now() - startedAt,
                 message: 'Session tokens refreshed'
             });
+            this._lastRefreshTs = Date.now();
+            this._markHeavyMaintenance();
             // Immediate MQTT health ensure
             await this._ensureMqttAlive();
             // Schedule layered post-refresh checks (1s, 10s, 30s) to catch silent drops
@@ -565,11 +602,51 @@ class FacebookSafety {
         }
     }
 
+    /**
+     * Lightweight poke (fb_dtsg refresh only) integrated to remove duplicate logic in index.js
+     */
+    scheduleLightPoke() {
+        if (this._lightPokeTimer || this._destroyed) return;
+        const base = 6 * 60 * 60 * 1000; // 6h
+        const jitter = (Math.random()*80 - 40) * 60 * 1000; // ±40m
+        const schedule = () => {
+            if (this._destroyed) return;
+            const t = setTimeout(async () => {
+                if (this._destroyed) return;
+                // Respect spacing: skip if recent heavy refresh
+                if (Date.now() - this._lastRefreshTs < this._minSpacingMs / 2) {
+                    schedule();
+                    return;
+                }
+                try {
+                    if (this.api && typeof this.api.refreshFb_dtsg === 'function') {
+                        await this.api.refreshFb_dtsg().catch(()=>{});
+                        this._lastRefreshTs = Date.now();
+                        this._lastLightPokeTs = Date.now();
+                        this.safetyEmit('lightPoke', { ts: Date.now() });
+                    }
+                } catch(_) {}
+                schedule();
+            }, base + (Math.random()*80 - 40) * 60 * 1000);
+            this._registerTimer(t);
+            this._lightPokeTimer = t;
+        };
+        schedule();
+    }
+
+    _registerTimer(t){
+        if (!t) return;
+        this._timerRegistry.add(t);
+    }
+
     // Cleanup / destroy resources (to prevent dangling timers)
     destroy() {
         this._destroyed = true;
-        const timers = [this._safeRefreshInterval, this._safeRefreshTimer, this._heartbeatTimer, this._watchdogTimer, this._periodicRecycleTimer];
+        const timers = [this._safeRefreshInterval, this._safeRefreshTimer, this._heartbeatTimer, this._watchdogTimer, this._periodicRecycleTimer, this._lightPokeTimer];
         timers.forEach(t => t && clearTimeout(t));
+        // Clear any registered anonymous timers
+        this._timerRegistry.forEach(t => clearTimeout(t));
+        this._timerRegistry.clear();
         if (this._activeListenerStop) {
             try { this._activeListenerStop(); } catch (_) {}
             this._activeListenerStop = null;
@@ -617,6 +694,99 @@ class FacebookSafety {
         }
     }
 
+    /* ======================== Dynamic Tuning & Pacing ======================== */
+    _onRiskLevelChanged(risk){
+        // Adjust spacing guard slightly (high risk allow earlier refresh to recover)
+        if (risk === 'high') this._minSpacingMs = 30 * 60 * 1000; else this._minSpacingMs = 45 * 60 * 1000;
+        // Reschedule heartbeat dynamically
+        this._scheduleDynamicHeartbeat(true);
+        this.safetyEmit('riskLevelChanged', { risk });
+    }
+
+    _computeBackoffDelay(attempt){
+        const risk = this.sessionMetrics.riskLevel;
+        const a = Math.min(attempt, 6);
+        let base;
+        if (risk === 'high') {
+            base = 900 * Math.pow(1.6, a); // faster recovery
+        } else if (risk === 'medium') {
+            base = 1100 * Math.pow(1.7, a);
+        } else { // low
+            base = 1500 * Math.pow(1.9, a); // slower to reduce noise
+        }
+        const cap = (risk === 'low') ? 25000 : (risk === 'medium' ? 22000 : 18000);
+        const delay = Math.min(cap, base) + Math.random()*600; // jitter
+        return delay;
+    }
+
+    _scheduleDynamicHeartbeat(reset){
+        if (reset && this._dynamicHeartbeatTimer){ clearTimeout(this._dynamicHeartbeatTimer); this._dynamicHeartbeatTimer = null; }
+        if (this._destroyed) return;
+        const interval = this._computeHeartbeatInterval();
+        this._dynamicHeartbeatTimer = setTimeout(()=>{
+            if (this._destroyed) return;
+            try {
+                if (this.ctx && this.ctx.mqttClient && this.ctx.mqttClient.connected) {
+                    if (this.ctx.mqttClient.ping) this.ctx.mqttClient.ping();
+                    try { this.ctx.mqttClient.publish('/foreground_state', JSON.stringify({ foreground: true })); } catch(_) {}
+                    this.safetyEmit('heartbeat', { ts: Date.now(), dynamic: true });
+                }
+            } catch(_) {}
+            // Watchdog like check
+            this._runDynamicWatchdog();
+            this._scheduleDynamicHeartbeat(false);
+        }, interval);
+        this._registerTimer(this._dynamicHeartbeatTimer);
+    }
+
+    _computeHeartbeatInterval(){
+        const risk = this.sessionMetrics.riskLevel;
+        if (risk === 'high') return (55 + Math.random()*20) * 1000; // 55–75s
+        if (risk === 'medium') return (70 + Math.random()*20) * 1000; // 70–90s
+        return (80 + Math.random()*20) * 1000; // 80–100s
+    }
+
+    _runDynamicWatchdog(){
+        const idle = Date.now() - this._lastEventTs;
+        // escalate thresholds slightly by risk (high risk shorter tolerance)
+        const hard = (this.sessionMetrics.riskLevel === 'high') ? 8*60*1000 : 12*60*1000;
+        if (idle > hard) {
+            this._backoff.attempt = 0;
+            this._ensureMqttAlive();
+        }
+    }
+
+    _markHeavyMaintenance(){
+        this._lastHeavyMaintenanceTs = Date.now();
+    }
+
+    computeAdaptiveSendDelay(){
+        const risk = this.sessionMetrics.riskLevel;
+        const since = Date.now() - this._lastHeavyMaintenanceTs;
+        const inWindow = since < this._adaptivePacingWindowMs;
+        let min=0, max=0;
+        if (inWindow){
+            if (risk === 'high'){ min=600; max=1500; }
+            else if (risk === 'medium'){ min=200; max=800; }
+            else { min=0; max=300; }
+        } else {
+            // outside pacing window only high risk adds mild delay
+            if (risk === 'high'){ min=150; max=600; }
+        }
+        if (max<=0) return 0;
+        return Math.floor(min + Math.random()*(max-min));
+    }
+
+    applyAdaptiveSendDelay(){
+        const d = this.computeAdaptiveSendDelay();
+        if (!d) return Promise.resolve();
+        return new Promise(r=> setTimeout(r, d));
+    }
+
+    startDynamicSystems(){
+        this._scheduleDynamicHeartbeat(true);
+    }
+
     /**
      * Set safety event handler
      */
@@ -625,4 +795,4 @@ class FacebookSafety {
     }
 }
 
-module.exports = FacebookSafety;
+module.exports = FacebookSafety;

package/lib/safety/FacebookSafetyManager.js

@@ -13,7 +13,8 @@ class FacebookSafetyManager extends EventEmitter {
     constructor(options = {}) {
         super();
         
-        this.options = {
+    console.warn('[DEPRECATION] FacebookSafetyManager is deprecated. The unified FacebookSafety module now handles all safety logic. Avoid using this manager.');
+    this.options = {
             // Auto re-login detection
             autoReloginEnabled: options.autoReloginEnabled !== false,
             autoReloginRetries: options.autoReloginRetries || 3,
@@ -112,7 +113,7 @@ class FacebookSafetyManager extends EventEmitter {
             this.startUserAgentRotation();
         }
         
-        logger('🛡️ Facebook Safety Manager initialized with maximum protection', 'info');
+    logger('🛡️ (Deprecated) Facebook Safety Manager initialized (prefer unified FacebookSafety)', 'info');
     }
     
     /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexus-fca",
-  "version": "2.1.7",
+  "version": "2.1.10",
   "description": "A modern, safe, and advanced Facebook Chat API for Node.js with fully integrated Nexus Login System. NPM-ready with ID/password/2FA support, ultra-low ban rate protection, and zero external dependencies.",
   "main": "index.js",
   "repository": {