persnally 2.0.2 → 2.0.3

package/build/src/cli.js

@@ -384,6 +384,11 @@ async function main() {
             };
             process.on("SIGTERM", shutdown);
             process.on("SIGINT", shutdown);
+            // An always-on daemon must not die silently on a stray error. Log a
+            // rejection and keep serving; on an uncaught exception the process state
+            // is undefined — log and exit so the supervisor (launchd) restarts clean.
+            process.on("unhandledRejection", (e) => console.error("unhandledRejection:", e));
+            process.on("uncaughtException", (e) => { console.error("uncaughtException:", e); process.exit(1); });
             console.error(`persnallyd v${VERSION} listening on 127.0.0.1:${port}`);
             console.error(`Dashboard: http://127.0.0.1:${port}`);
             return;

package/build/src/config.js

@@ -3,7 +3,7 @@
  * key, so the launchd-run daemon (no shell env) can synthesize. Unknown fields
  * are preserved (the file predates v2). Saved with owner-only permissions.
  */
-import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { chmodSync, existsSync, mkdirSync, readFileSync, renameSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
 import { DATA_DIR } from "./paths.js";
 // Resolved at call time so PERSNALLY_DIR overrides work in-process (tests), not just for subprocesses.
@@ -22,9 +22,13 @@ export function saveConfig(updates) {
     const file = configFile();
     mkdirSync(dirname(file), { recursive: true });
     const merged = { ...loadConfig(), ...updates };
-    // mode on create closes the world-readable window before chmod; chmod also
-    // corrects perms on a pre-existing file. The config holds the API key.
-    writeFileSync(file, JSON.stringify(merged, null, 2) + "\n", { mode: 0o600 });
+    // Atomic write: a crash mid-write must never leave a truncated config —
+    // that would silently drop the API key and all scopes (loadConfig swallows
+    // parse errors). Write to a temp file, then rename (atomic on one fs).
+    // mode 0600 on create + chmod keeps the key owner-only through the swap.
+    const tmp = `${file}.${process.pid}.tmp`;
+    writeFileSync(tmp, JSON.stringify(merged, null, 2) + "\n", { mode: 0o600 });
+    renameSync(tmp, file);
     chmodSync(file, 0o600);
 }
 /** Env wins over config; sets process.env so the Anthropic SDK picks it up. */

package/build/src/daemon.js

@@ -11,6 +11,8 @@ import { newEvent, validateEvent } from "./events.js";
 import { chooseExtractor } from "./llm.js";
 import { synthesizeProfile } from "./profile.js";
 export const DEFAULT_PORT = 4983;
+const MAX_BODY_BYTES = 25 * 1024 * 1024; // generous for import batches; bounds memory
+const MAX_QUERY_LIMIT = 10_000; // ceiling for public ?limit= params
 // Single source of truth for the user-visible version: package.json.
 const pkg = JSON.parse(readFileSync(new URL("../../package.json", import.meta.url), "utf-8"));
 export const VERSION = pkg.version;
@@ -143,17 +145,33 @@ function dashboardHtml() {
     return cachedHtml;
 }
 function json(res, status, body) {
-    res.writeHead(status, { "Content-Type": "application/json" });
-    res.end(JSON.stringify(body));
+    // Never throw from the responder — the request socket may already be gone
+    // (e.g. an oversized body we destroyed), and a throw here would be unhandled.
+    if (res.headersSent || res.writableEnded)
+        return;
+    try {
+        res.writeHead(status, { "Content-Type": "application/json" });
+        res.end(JSON.stringify(body));
+    }
+    catch { /* socket closed mid-response */ }
 }
 function num(url, key, fallback) {
     const v = Number(url.searchParams.get(key));
-    return Number.isFinite(v) && v > 0 ? v : fallback;
+    return Number.isFinite(v) && v > 0 ? Math.min(v, MAX_QUERY_LIMIT) : fallback;
 }
 function readBody(req) {
     return new Promise((resolve, reject) => {
         let data = "";
-        req.on("data", (chunk) => (data += chunk));
+        let size = 0;
+        req.on("data", (chunk) => {
+            size += chunk.length;
+            if (size > MAX_BODY_BYTES) {
+                reject(new Error("request body too large"));
+                req.destroy();
+                return;
+            }
+            data += chunk;
+        });
         req.on("end", () => {
             try {
                 resolve(JSON.parse(data));

package/build/src/decay.js

@@ -15,7 +15,10 @@ export function topicWeight(signals, now = Date.now()) {
     let sentiment = 0;
     const intents = new Map();
     for (const s of signals) {
-        const days = Math.max((now - Date.parse(s.ts)) / MS_PER_DAY, 0);
+        const parsed = Date.parse(s.ts);
+        if (!Number.isFinite(parsed))
+            continue; // an unparseable ts must not turn the sum into NaN
+        const days = Math.max((now - parsed) / MS_PER_DAY, 0);
         sum += s.weight * (DEPTH_SCORES[s.depth] ?? 0.3) * Math.exp(-LAMBDA * days);
         sentiment += SENTIMENT_VALUES[s.sentiment] ?? 0;
         intents.set(s.intent, (intents.get(s.intent) ?? 0) + 1);

package/build/src/events.d.ts

@@ -176,5 +176,9 @@ export declare function validateEvent(raw: unknown): PersnallyEvent;
 export declare function newEvent(type: EventType, source: string, payload: Record<string, unknown>, provenance: Provenance, occurredAt?: string): PersnallyEvent;
 /** UUIDv7: 48-bit ms timestamp + random — time-ordered ids that merge cleanly across devices. */
 export declare function uuidv7(): string;
+/** A valid ISO timestamp from an untrusted value (import dates), or now if it
+    can't be parsed — `new Date(junk).toISOString()` throws, which would crash
+    a whole import mid-batch after paying for earlier extractions. */
+export declare function safeIso(value: unknown): string;
 /** Topic normalization, carried over from v1's interest engine (proven merge rules). */
 export declare function normalizeTopic(topic: string): string;

package/build/src/events.js

@@ -120,6 +120,13 @@ export function uuidv7() {
     const hex = [...bytes].map((b) => b.toString(16).padStart(2, "0")).join("");
     return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
 }
+/** A valid ISO timestamp from an untrusted value (import dates), or now if it
+    can't be parsed — `new Date(junk).toISOString()` throws, which would crash
+    a whole import mid-batch after paying for earlier extractions. */
+export function safeIso(value) {
+    const d = new Date(value);
+    return Number.isFinite(d.getTime()) ? d.toISOString() : new Date().toISOString();
+}
 /** Topic normalization, carried over from v1's interest engine (proven merge rules). */
 export function normalizeTopic(topic) {
     let key = topic.toLowerCase().trim();

package/build/src/importers/chatgpt.js

@@ -5,6 +5,7 @@
  */
 import { readFileSync, existsSync, statSync } from "node:fs";
 import { join } from "node:path";
+import { safeIso } from "../events.js";
 import { anthropicExtract, DEFAULT_EXTRACT_MODEL } from "../llm.js";
 import { extractEvents } from "./extract.js";
 export function parseChatGPTExport(path) {
@@ -23,7 +24,7 @@ export function parseChatGPTExport(path) {
             uuid: String(c.conversation_id ?? c.id ?? ""),
             name: String(c.title ?? ""),
             summary: "",
-            created_at: c.create_time ? new Date(c.create_time * 1000).toISOString() : new Date().toISOString(),
+            created_at: safeIso(c.create_time ? c.create_time * 1000 : undefined),
             userMessages,
         };
     });

package/build/src/importers/extract.js

@@ -3,7 +3,7 @@
  * Parsers produce a ParsedExport; this turns it into provenance-linked events.
  */
 import { z } from "zod";
-import { newEvent, uuidv7, PAYLOAD_SCHEMAS } from "../events.js";
+import { newEvent, safeIso, uuidv7, PAYLOAD_SCHEMAS } from "../events.js";
 import { anthropicExtract, DEFAULT_EXTRACT_MODEL } from "../llm.js";
 const MAX_CONVO_CHARS = 30_000;
 const topicsExtraction = z.object({ topics: z.array(PAYLOAD_SCHEMAS["signal.topic"]) });
@@ -23,7 +23,7 @@ export async function extractEvents(parsed, opts, extract = anthropicExtract, mo
         });
         const { topics } = topicsExtraction.parse(result);
         for (const t of topics) {
-            events.push(newEvent("signal.topic", opts.source, t, { kind: "import", batch, file: opts.file, conversation_uuid: convo.uuid }, new Date(convo.created_at).toISOString()));
+            events.push(newEvent("signal.topic", opts.source, t, { kind: "import", batch, file: opts.file, conversation_uuid: convo.uuid }, safeIso(convo.created_at)));
         }
     }
     if (parsed.memoryText.trim() || parsed.projects.length) {

package/build/src/importers/git.js

@@ -4,7 +4,7 @@
  * Carries forward the v1 skill_analyzer's framework-detection approach.
  */
 import { execFileSync } from "node:child_process";
-import { existsSync, readFileSync, readdirSync } from "node:fs";
+import { existsSync, readFileSync, readdirSync, statSync } from "node:fs";
 import { basename, join } from "node:path";
 import { newEvent, uuidv7 } from "../events.js";
 const FRAMEWORKS = {
@@ -81,6 +81,10 @@ export function scanRepos(path, authorEmail) {
     const direct = summarizeRepo(path, authorEmail);
     if (direct)
         return [direct];
+    // Not a repo — must be a folder of repos. A file path here is user error,
+    // not a crash (readdirSync would throw ENOTDIR).
+    if (!existsSync(path) || !statSync(path).isDirectory())
+        return [];
     return readdirSync(path, { withFileTypes: true })
         .filter((d) => d.isDirectory())
         .map((d) => { try {

package/build/src/lifecycle.js

@@ -3,7 +3,7 @@
  * The pidfile is advisory: a stale one (dead pid) is detected and cleaned up.
  */
 import { execFileSync, spawn } from "node:child_process";
-import { existsSync, mkdirSync, openSync, readFileSync, rmSync, unlinkSync, writeFileSync } from "node:fs";
+import { closeSync, existsSync, mkdirSync, openSync, readFileSync, rmSync, unlinkSync, writeFileSync } from "node:fs";
 import { homedir } from "node:os";
 import { join } from "node:path";
 import { DATA_DIR } from "./paths.js";
@@ -49,6 +49,7 @@ export async function startDetached(cliPath, port) {
         stdio: ["ignore", log, log],
         env: process.env,
     });
+    closeSync(log); // the child dup'd it at spawn; don't leak the parent's copy
     child.unref();
     for (let i = 0; i < 30; i++) {
         await sleep(100);

package/build/src/mcp/migrate-v1.js

@@ -6,6 +6,7 @@
 import { existsSync, readFileSync, renameSync } from "fs";
 import { homedir } from "os";
 import { join } from "path";
+import { safeIso } from "../events.js";
 import { daemonPost } from "./daemon-client.js";
 const GRAPH_FILE = join(homedir(), ".persnally", "interest-graph.json");
 const INTENTS = new Set(["learning", "building", "researching", "deciding", "discussing", "debugging"]);
@@ -21,6 +22,11 @@ export async function migrateV1Graph() {
         nodes = JSON.parse(readFileSync(GRAPH_FILE, "utf-8")).nodes ?? {};
     }
     catch {
+        // Corrupt v1 file — move it aside so we don't reparse it on every session.
+        try {
+            renameSync(GRAPH_FILE, GRAPH_FILE + ".v1-corrupt");
+        }
+        catch { /* leave it */ }
         return 0;
     }
     const entries = Object.values(nodes);
@@ -29,7 +35,7 @@ export async function migrateV1Graph() {
         const events = entries.map((n) => ({
             type: "signal.topic",
             source: "system",
-            ts: new Date(n.last_seen).toISOString(),
+            ts: safeIso(n.last_seen),
             payload: {
                 topic: n.topic,
                 weight: Math.min(Math.max(n.current_weight, 0.05), 1),

package/build/src/setup.js

@@ -9,11 +9,17 @@ import { homedir, tmpdir } from "node:os";
 import { join } from "node:path";
 import { loadConfig, saveConfig } from "./config.js";
 function sniffKind(conversationsJson) {
+    // 64 KB: the discriminating key can sit past a large first record (esp. ChatGPT).
     const fd = openSync(conversationsJson, "r");
-    const buf = Buffer.alloc(4096);
-    const n = readSync(fd, buf, 0, buf.length, 0);
-    closeSync(fd);
-    const head = buf.toString("utf-8", 0, n);
+    let head;
+    try {
+        const buf = Buffer.alloc(65536);
+        const n = readSync(fd, buf, 0, buf.length, 0);
+        head = buf.toString("utf-8", 0, n);
+    }
+    finally {
+        closeSync(fd); // always close, even if readSync throws
+    }
     if (head.includes('"chat_messages"'))
         return "claude";
     if (head.includes('"mapping"'))

package/build/src/store.js

@@ -16,6 +16,10 @@ export class EventStore {
         mkdirSync(dirname(path), { recursive: true });
         this.db = new Database(path);
         this.db.pragma("journal_mode = WAL");
+        // The CLI and the daemon each open their own connection; a blocked writer
+        // waits instead of failing fast with SQLITE_BUSY (better-sqlite3 defaults
+        // to 5s — set explicitly with headroom for large rebuilds).
+        this.db.pragma("busy_timeout = 10000");
         this.migrate();
     }
     migrate() {
@@ -162,7 +166,9 @@ export class EventStore {
                 topic: a.topic,
                 category: [...a.categories.entries()].sort((x, y) => y[1] - x[1])[0][0],
                 signals: a.signals.length,
-                weight: w.weight,
+                // Guard the NOT NULL column: a non-finite weight would abort the whole
+                // rebuild transaction and wedge the topic view permanently.
+                weight: Number.isFinite(w.weight) ? w.weight : 0,
                 sentiment_balance: w.sentiment_balance,
                 dominant_intent: w.dominant_intent,
                 entities: [...a.entities].slice(0, 20),
@@ -217,7 +223,9 @@ export class EventStore {
         return result.changes;
     }
     forgetAll() {
-        this.db.exec("DELETE FROM events; DELETE FROM view_topics;");
+        // Clear the profile too — it's prose derived from now-deleted events.
+        // Leaving it would serve a profile after a full wipe ("deletable for real").
+        this.db.exec("DELETE FROM events; DELETE FROM view_topics; DELETE FROM view_profile;");
     }
     close() {
         this.db.close();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "persnally",
-  "version": "2.0.2",
+  "version": "2.0.3",
   "license": "FSL-1.1-MIT",
   "description": "The context engine for you — local-first, across every AI. So every AI finally knows you.",
   "type": "module",