polygram 0.13.1 → 0.14.0

package/lib/db/events-retention.js

@@ -40,6 +40,10 @@ const DEFAULT_POLICY = {
   keepForeverKinds: [
     'polygram-start', 'polygram-stop', 'shutdown-drain',
     'handler-error', 'auth-expired', 'resume-fail',
+    // 0.14 boot-replay forensics — was a real task skipped-and-announced, or
+    // silently lost? Kept so "why didn't my message get answered after the
+    // restart?" is answerable beyond the 90d default (still capped).
+    'replay-on-boot', 'replay-notice-sent', 'replay-notice-failed',
     // the prune's own audit trail — kept so it survives a prune (still capped):
     'events-pruned', 'events-prune-preview', 'events-prune-skipped',
   ],

package/lib/db.js

@@ -19,7 +19,11 @@ const Database = require('better-sqlite3');
 // SCHEMA_VERSION; the early-return on line ~42 then skipped the
 // migration loop on any DB already at user_version=8 → turn_metrics
 // table never created → INSERT prepare at startup crashed polygram.
-const SCHEMA_VERSION = 12;
+//
+// 0.14: bumped from 12 → 13. Adds migration 013-clean-shutdown-marker.sql
+// (polling_state.clean_shutdown_at). Same footgun as the 8→9 note: forgetting
+// the bump skips the migration on any DB already at user_version=12.
+const SCHEMA_VERSION = 13;
 
 // Sentinel `error` value for outbound rows whose API call may or may not
 // have reached Telegram. markStalePending writes it; hasOutboundReplyTo
@@ -637,6 +641,61 @@ function wrap(db) {
       `).run(botName, cutoff);
     },
 
+    // 0.14 boot-replay: record a DELIBERATE (clean) shutdown. Atomically, in ONE
+    // transaction: (a) mark still-in-flight inbound rows replay-pending (so a
+    // deliberate restart that interrupted a long turn still recovers it), and
+    // (b) stamp polling_state.clean_shutdown_at so boot can tell clean from
+    // crash. Written UNCONDITIONALLY on every clean shutdown — NOT gated on
+    // in-flight count — because a stale replay-pending row from a prior life
+    // must NOT be crash-recovered (re-answered) on a deliberate restart.
+    //
+    // The upsert satisfies polling_state's NOT NULL last_update_id/ts (migration
+    // 005) for a fresh/quiet bot that has no row yet (a row is otherwise created
+    // only on a non-empty getUpdates batch): COALESCE the existing values, else
+    // seed (0, now).
+    recordCleanShutdown({ botName, now = Date.now(), since } = {}) {
+      const cutoff = since ?? now - 30 * 60 * 1000;
+      const txn = db.transaction(() => {
+        const marked = db.prepare(`
+          UPDATE messages SET handler_status = 'replay-pending'
+           WHERE direction = 'in'
+             AND handler_status IN ('dispatched', 'processing')
+             AND bot_name = ?
+             AND ts > ?
+        `).run(botName, cutoff);
+        db.prepare(`
+          INSERT INTO polling_state (bot_name, last_update_id, ts, clean_shutdown_at)
+          VALUES (?,
+                  COALESCE((SELECT last_update_id FROM polling_state WHERE bot_name = ?), 0),
+                  COALESCE((SELECT ts             FROM polling_state WHERE bot_name = ?), ?),
+                  ?)
+          ON CONFLICT(bot_name) DO UPDATE SET clean_shutdown_at = excluded.clean_shutdown_at
+        `).run(botName, botName, botName, now, now);
+        return marked.changes;
+      });
+      return { replayMarked: txn() };
+    },
+
+    // 0.14: read AND clear the clean-shutdown marker in one txn. "Clean" iff a
+    // marker is present, not future-dated (clock skew → crash), and within
+    // maxAgeMs (derived from the replay window). Clear-on-read so a marker from
+    // a prior boot can never be inherited as "clean" after a later crash. Any
+    // ambiguity ⇒ clean:false (the caller treats that as crash → recover).
+    consumeCleanShutdownMarker({ botName, now = Date.now(), maxAgeMs }) {
+      const txn = db.transaction(() => {
+        const row = db.prepare('SELECT clean_shutdown_at FROM polling_state WHERE bot_name = ?').get(botName);
+        const at = row ? row.clean_shutdown_at : null;
+        if (row && at != null) {
+          db.prepare('UPDATE polling_state SET clean_shutdown_at = NULL WHERE bot_name = ?').run(botName);
+        }
+        return at;
+      });
+      const at = txn();
+      const age = typeof at === 'number' ? now - at : null;
+      const clean = age != null && age >= 0 && (maxAgeMs == null || age <= maxAgeMs);
+      return { clean, markerAt: at };
+    },
+
     // ─── Attachments (migration 007, polygram 0.6.0) ──────────────────
     //
     // Replaces the messages.attachments_json blob. Each attachment is its

package/lib/handlers/download.js

@@ -106,10 +106,19 @@ function createDownloadAttachments({
           } catch (e) {
             if (e.code === 'EEXIST') {
               logger.log?.(`[attach] ${chatId} ← ${att.kind} ${safeName} (race: already on disk)`);
-            } else if (e.code === 'EXDEV') {
-              fs.copyFileSync(fileInfo.file_path, localPath);   // cross-device fallback
             } else {
-              throw e;
+              // A hard link can fail even when a byte copy succeeds: EXDEV (the
+              // bot-api data dir is a different device/overlay than the inbox) or
+              // EPERM (the volume's filesystem refuses a cross-fs / cross-owner
+              // hard link — the local Bot API container writes files as a
+              // different user, e.g. `messagebus`, and polygram reads them via
+              // group membership). Copy works whenever we can READ the source
+              // (group perm) + WRITE the inbox; if the source read is genuinely
+              // denied, copyFileSync throws EACCES and the outer handler marks
+              // the attachment failed. Falling back on EXDEV only (the old
+              // behaviour) left EPERM uncaught → every inbound file failed once
+              // the local Bot API server was a Docker volume (2026-06-16).
+              fs.copyFileSync(fileInfo.file_path, localPath);
             }
           }
         }

package/lib/handlers/replay-disposition.js

@@ -0,0 +1,120 @@
+'use strict';
+
+/**
+ * Boot-replay disposition (0.14) — decide what to do with the replay candidate
+ * set, given whether the last shutdown was a DELIBERATE restart or a CRASH.
+ *
+ * Pure function (no I/O) so it's unit-testable without booting the daemon; the
+ * caller performs the actual dispatch / skip-marking / notice-sending from the
+ * returned plan (see executeReplayPlan).
+ *
+ *   - CRASH (cleanShutdown=false): recover every still-unanswered candidate —
+ *     the existing rc.57 behavior. An unexpected exit must never silently drop
+ *     interrupted work.
+ *   - CLEAN (cleanShutdown=true): a deliberate restart. Prod data (n=3430)
+ *     showed skip-vs-recover CANNOT be auto-classified (53% of turns run >=30s
+ *     so ordinary interactive turns are replay-pending just like a long task,
+ *     and the rc.57 Xero case is itself a user message). So we decide by RESTART
+ *     INTENT, not message state: skip ALL pending candidates (don't re-answer
+ *     stale messages) and surface ONE visibility notice per chat/topic so a
+ *     genuinely-needed reply can be re-sent. rc.57's harm was *silent* loss;
+ *     this makes the skip *visible*.
+ *
+ * Dedup: a candidate already answered (hasCompletedTurn -> true) is dropped from
+ * the plan entirely — never recovered, never announced. The caller wires this to
+ * db.hasCompletedTurnFor (turn_metrics), NOT hasOutboundReplyTo (rc.51).
+ *
+ * @param {object} opts
+ * @param {Array<{chat_id, thread_id?, msg_id}>} opts.candidates
+ * @param {boolean} opts.cleanShutdown  true iff the clean-shutdown marker was present+fresh
+ * @param {(candidate)=>boolean} [opts.hasCompletedTurn]  already-answered predicate (default: none)
+ * @param {(candidate)=>boolean} [opts.announceable]  notice-eligible predicate (default: all). Excludes
+ *   admin/slash + abort-shaped rows so we don't announce "I didn't resume your /new".
+ * @returns {{recover: Array, skip: Array, notices: Array<{chat_id, thread_id, items: Array}>}}
+ */
+function classifyReplay({ candidates = [], cleanShutdown = false, hasCompletedTurn, announceable } = {}) {
+  const answered = typeof hasCompletedTurn === 'function' ? hasCompletedTurn : () => false;
+  const pending = (candidates || []).filter((c) => !answered(c));
+
+  if (!cleanShutdown) {
+    // Crash: recover everything unanswered (unchanged rc.57 behavior).
+    return { recover: pending, skip: [], notices: [] };
+  }
+
+  // Deliberate restart: skip ALL pending (none re-answered), and group the
+  // ANNOUNCEABLE ones per (chat, thread) for one visibility notice each
+  // (isolateTopics-safe). announceable excludes admin/slash + abort-shaped rows
+  // (H5) — those are skipped silently, mirroring the crash path's redelivery
+  // gate which never re-executes them. Default: everything announceable.
+  const isAnnounceable = typeof announceable === 'function' ? announceable : () => true;
+  const SEP = String.fromCharCode(0); // NUL separator (H8, collision-proof)
+  const groups = new Map();
+  for (const c of pending) {
+    if (!isAnnounceable(c)) continue;
+    const thread = c.thread_id == null ? null : c.thread_id;
+    const key = `${c.chat_id}${SEP}${thread == null ? '' : thread}`;
+    let g = groups.get(key);
+    if (!g) { g = { chat_id: c.chat_id, thread_id: thread, items: [] }; groups.set(key, g); }
+    g.items.push(c);
+  }
+  return { recover: [], skip: pending, notices: Array.from(groups.values()) };
+}
+
+/**
+ * Execute a classified plan (0.14, H6). Pure-ish: all I/O via injected deps, so
+ * it's unit-testable and the crash-seam ordering can be asserted.
+ *
+ * Ordering (fail-toward-recovery): the caller has already read-and-cleared the
+ * marker BEFORE this runs, so a crash mid-execution leaves un-marked rows as
+ * candidates -> next boot has no marker -> CRASH branch recovers them (never a
+ * silent drop). Within the clean branch: send each group's notice FIRST; only on
+ * a CONFIRMED send mark that group's rows terminal ('replay-skipped'); on a send
+ * FAILURE leave the rows recoverable and emit replay-notice-failed. Gate-blocked
+ * skip items (not in any notice group) are marked terminal silently.
+ *
+ * @param {object} opts
+ * @param {{recover:Array, skip:Array, notices:Array}} opts.plan
+ * @param {object} opts.deps
+ * @param {(candidate)=>Promise<{ok:boolean}>} opts.deps.recover  crash-path re-dispatch
+ * @param {(group)=>Promise<{ok:boolean, messageId?:any, error?:string}>} opts.deps.sendNotice
+ * @param {(candidate)=>void} opts.deps.markSkipped  mark row terminal 'replay-skipped'
+ * @param {(kind, detail)=>void} [opts.deps.logEvent]
+ * @returns {Promise<{recovered:number, skipped:number, noticed:number, noticeFailed:number}>}
+ */
+async function executeReplayPlan({ plan, deps }) {
+  const { recover = [], skip = [], notices = [] } = plan || {};
+  const log = (deps && deps.logEvent) || (() => {});
+  let recovered = 0; let skipped = 0; let noticed = 0; let noticeFailed = 0;
+
+  // CRASH branch — recover each (unchanged rc.57 behavior).
+  for (const c of recover) {
+    // eslint-disable-next-line no-await-in-loop
+    const r = await deps.recover(c);
+    if (r && r.ok) recovered += 1; else skipped += 1;
+  }
+
+  // CLEAN branch — notice-then-mark, per group.
+  const inNotices = new Set();
+  for (const g of notices) for (const c of g.items) inNotices.add(c);
+  for (const g of notices) {
+    let res;
+    // eslint-disable-next-line no-await-in-loop
+    try { res = await deps.sendNotice(g); } catch (e) { res = { ok: false, error: e && e.message }; }
+    if (res && res.ok) {
+      for (const c of g.items) { deps.markSkipped(c); skipped += 1; }
+      noticed += 1;
+      log('replay-notice-sent', { chat_id: g.chat_id, thread_id: g.thread_id, count: g.items.length, notice_msg_id: res.messageId });
+    } else {
+      noticeFailed += 1;
+      log('replay-notice-failed', { chat_id: g.chat_id, thread_id: g.thread_id, count: g.items.length, error: res && res.error });
+      // leave rows recoverable (no markSkipped) — next boot's crash branch recovers them
+    }
+  }
+  // Gate-blocked skip items (never in a notice group) -> terminal, silent.
+  for (const c of skip) {
+    if (!inNotices.has(c)) { deps.markSkipped(c); skipped += 1; }
+  }
+  return { recovered, skipped, noticed, noticeFailed };
+}
+
+module.exports = { classifyReplay, executeReplayPlan };

package/migrations/013-clean-shutdown-marker.sql

@@ -0,0 +1,10 @@
+-- 0.14: clean-shutdown marker for boot-replay.
+--
+-- On a DELIBERATE restart polygram skips re-dispatching stale candidates (so it
+-- doesn't re-answer messages the user already saw it working on) and posts one
+-- visibility notice instead. On a CRASH it recovers everything (unchanged).
+--
+-- The marker is written in the shutdown handler (same txn as markReplayPending)
+-- and read-and-cleared at boot. NULL = no clean shutdown recorded → treat as
+-- crash (recover). One row per bot (shares polling_state's PK).
+ALTER TABLE polling_state ADD COLUMN clean_shutdown_at INTEGER;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "polygram",
-  "version": "0.13.1",
+  "version": "0.14.0",
   "description": "Telegram daemon for Claude Code that preserves the OpenClaw per-chat session model. Migration path for OpenClaw users moving to Claude Code.",
   "main": "lib/ipc/client.js",
   "bin": {

package/polygram.js

@@ -67,8 +67,9 @@ const { createHandleAbort } = require('./lib/handlers/abort');
 const { createAutosteerHandlers } = require('./lib/handlers/autosteer');
 const { createEditCorrectionInjector } = require('./lib/handlers/edit-correction');
 const { createEditRedelivery } = require('./lib/handlers/edit-redelivery');
-const { createGateInbound } = require('./lib/handlers/gate-inbound');
+const { createGateInbound, ADMIN_CMD_RE, PAIR_CLAIM_RE } = require('./lib/handlers/gate-inbound');
 const { createRedeliver } = require('./lib/handlers/redeliver');
+const { classifyReplay, executeReplayPlan } = require('./lib/handlers/replay-disposition');
 const { createDropRedeliverer } = require('./lib/handlers/drop-redeliver');
 const { createSessionFeedback } = require('./lib/feedback/session-feedback');
 const { createSlashCommands } = require('./lib/handlers/slash-commands');
@@ -2650,28 +2651,29 @@ async function main() {
     let remaining = 0;
     for (const n of inFlightHandlers.values()) remaining += n;
 
-    // 3. Anything still in-flight → mark in DB as replay-pending so the
-    //    next polygram boot re-dispatches it. User never sees an error.
-    if (remaining > 0 && db) {
+    // 3. This handler only runs on a DELIBERATE shutdown (SIGINT/SIGTERM/SIGHUP);
+    //    a crash (SIGKILL/OOM/panic) never reaches here. Record a clean-shutdown
+    //    marker AND mark any still-in-flight rows replay-pending, atomically, on
+    //    EVERY clean shutdown (not just when in-flight>0) — boot uses the marker
+    //    to SKIP re-answering stale messages on a deliberate restart while still
+    //    recovering everything on a crash (0.14, §H1). markReplayPending alone
+    //    (the old behavior) couldn't distinguish the two, so every deploy
+    //    re-answered. A stale replay-pending row from a prior life would also be
+    //    crash-recovered on a deliberate restart without the unconditional marker.
+    if (db) {
       try {
-        const res = db.markReplayPending({ botName: BOT_NAME });
+        const res = db.recordCleanShutdown({ botName: BOT_NAME });
         logEvent('shutdown-drain', {
           bot: BOT_NAME,
           in_flight: remaining,
-          replay_marked: res?.changes ?? 0,
+          replay_marked: res?.replayMarked ?? 0,
           elapsed_ms: drainElapsed,
+          clean: true,
         });
-        console.log(`[shutdown] drained ${drainElapsed}ms, ${remaining} still in-flight, ${res?.changes ?? 0} rows marked replay-pending`);
+        console.log(`[shutdown] clean shutdown recorded; drained ${drainElapsed}ms, ${remaining} in-flight, ${res?.replayMarked ?? 0} marked replay-pending`);
       } catch (err) {
-        console.error(`[shutdown] markReplayPending failed: ${err.message}`);
+        console.error(`[shutdown] recordCleanShutdown failed: ${err.message}`);
       }
-    } else if (db) {
-      logEvent('shutdown-drain', {
-        bot: BOT_NAME,
-        in_flight: 0,
-        elapsed_ms: drainElapsed,
-      });
-      console.log(`[shutdown] clean drain in ${drainElapsed}ms`);
     }
 
     // 4. Remaining shutdown: approvals sweeper, IPC, resolve hook waiters,
@@ -2752,34 +2754,52 @@ async function main() {
     const chatIds = Object.keys(config.chats);
     if (chatIds.length > 0) {
       const replayWindowMs = resolveReplayWindowMs(config);
+
+      // 0.14: classify by RESTART INTENT. Read-and-clear the clean-shutdown
+      // marker FIRST, in its own try/catch — ANY error => treat as crash
+      // (recover), never skip-all (fail toward recovery). A deliberate restart
+      // skips re-answering stale messages and posts one visibility notice; a
+      // crash recovers everything (unchanged rc.57 behavior).
+      let cleanShutdown = false;
+      try {
+        const maxAgeMs = 2 * (replayWindowMs || 3 * 60 * 1000);
+        cleanShutdown = db.consumeCleanShutdownMarker({ botName: BOT_NAME, maxAgeMs }).clean;
+      } catch (err) {
+        console.error(`[replay] clean-shutdown marker read failed (-> crash recover): ${err.message}`);
+        cleanShutdown = false;
+      }
+
       const candidates = db.getReplayCandidates({ chatIds, ...(replayWindowMs && { olderThanMs: replayWindowMs }) });
-      let replayed = 0;
-      let skipped = 0;
+
+      // Cleanup pass: a candidate with a COMPLETED turn (turn_metrics, not just
+      // an ack-bubble — rc.51, the rc.50 msg-12158 lesson) was already answered.
+      // Mark it terminal 'replied' and exclude it from the plan (recovered nor
+      // announced). Single pass → reuse the result as the dedup predicate.
+      const completed = new Set();
       for (const row of candidates) {
-        // rc.51: dedupe on turn_metrics (definitive turn completion),
-        // NOT just on hasOutboundReplyTo. The latter trips on
-        // intermediate ack-bubbles (e.g. "Catching up on history…",
-        // "I'll write a quick inline script…") and silently skips the
-        // replay even when the actual answer never arrived. The rc.50
-        // EIO-orphan incident lost Ivan DM msg 12158 this way: an ack
-        // bubble was sent at 13:20:36, the turn was killed mid-flight,
-        // boot-replay saw the ack and assumed "answered."
-        //
-        // turn_metrics is only inserted by the SDK pm's onResult
-        // callback, which fires only when the turn definitively
-        // completes. No row → no completion → re-dispatch.
         if (db.hasCompletedTurnFor({ chat_id: row.chat_id, msg_id: row.msg_id })) {
-          db.setInboundHandlerStatus({
-            chat_id: row.chat_id, msg_id: row.msg_id, status: 'replied',
-          });
-          skipped += 1;
-          continue;
+          completed.add(`${row.chat_id}/${row.msg_id}`);
+          db.setInboundHandlerStatus({ chat_id: row.chat_id, msg_id: row.msg_id, status: 'replied' });
         }
-        // Reconstruct a minimal grammy-like Message object. Enough for
-        // dispatchRegularMessage (mention detect, abort, admin cmds,
-        // shouldHandle, enqueue). Attachments carry file_ids so the
-        // normal download path re-fetches on replay.
-        const reconstructed = {
+      }
+      const hasCompletedTurn = (row) => completed.has(`${row.chat_id}/${row.msg_id}`);
+
+      // Notice eligibility (H5): never announce admin/slash or abort-shaped rows
+      // (the crash path's redelivery gate never re-executes them either). An
+      // attachment-only message (no text, e.g. a screenshot) IS announceable.
+      const announceable = (row) => {
+        const t = (row.text || '').trim();
+        if (!t) return true;
+        if (typeof isAbortRequest === 'function' && isAbortRequest(t)) return false;
+        if (ADMIN_CMD_RE.test(t) || PAIR_CLAIM_RE.test(t)) return false;
+        return true;
+      };
+
+      // Reconstruct a minimal grammy-like Message for the crash-path
+      // re-dispatch (the shape dispatchRegularMessage expects; attachments via
+      // the media-group shortcut so the normal download path re-fetches).
+      const reconstruct = (row) => {
+        const msg = {
           chat: { id: Number(row.chat_id), type: row.chat_id.startsWith('-') ? 'supergroup' : 'private' },
           message_id: row.msg_id,
           from: { id: row.user_id, first_name: row.user },
@@ -2788,36 +2808,54 @@ async function main() {
           ...(row.thread_id && { message_thread_id: Number(row.thread_id) }),
           ...(row.reply_to_id && { reply_to_message: { message_id: row.reply_to_id } }),
         };
-        // Attach already-recorded attachments via the media-group shortcut
-        // field so extractAttachments picks them up without re-parsing
-        // grammy fields that don't exist on this reconstructed object.
         const attRows = db.getAttachmentsByMessage(row.id);
         if (attRows.length) {
-          reconstructed._mergedAttachments = attRows.map((a) => ({
+          msg._mergedAttachments = attRows.map((a) => ({
             kind: a.kind, name: a.name, mime_type: a.mime_type,
             size: a.size_bytes, file_id: a.file_id, file_unique_id: a.file_unique_id,
           }));
         }
-        const chatConfig = config.chats[row.chat_id];
-        if (!chatConfig) { skipped += 1; continue; }
-        // 0.13 D4: through the unified redelivery tail — _isReplay tag (error
-        // reply suppressed, not replay-eligible), 'replay-attempted' pre-mark
-        // (one-shot: even if THIS attempt dies mid-turn, the next boot won't
-        // loop), the D5 gate at tier 'redelivery' (abort/admin-shaped rows are
-        // never auto-re-executed; a row whose chat lost its pairing since is
-        // re-checked), a 👀 ack so the recovery is visible, then dispatch.
-        // eslint-disable-next-line no-await-in-loop
-        const r = await redeliverAsFreshTurn({
-          chatId: row.chat_id, msg: reconstructed,
-          source: 'boot-replay', preMark: 'replay-attempted',
-        });
-        if (r.ok) replayed += 1;
-        else skipped += 1;
-      }
+        return msg;
+      };
+
+      const plan = classifyReplay({ candidates, cleanShutdown, hasCompletedTurn, announceable });
+
+      const result = await executeReplayPlan({
+        plan,
+        deps: {
+          // CRASH path — unchanged: through the unified redelivery tail (D5 gate
+          // at tier 'redelivery', 'replay-attempted' one-shot pre-mark, ack).
+          recover: async (row) => {
+            const chatConfig = config.chats[row.chat_id];
+            if (!chatConfig) return { ok: false };
+            return redeliverAsFreshTurn({
+              chatId: row.chat_id, msg: reconstruct(row),
+              source: 'boot-replay', preMark: 'replay-attempted',
+            });
+          },
+          // CLEAN path — one visibility notice per (chat, thread). plainText so
+          // no markdown/HTML parse on a boot send.
+          sendNotice: async (g) => {
+            const n = g.items.length;
+            const text = `↺ Restarted — I didn't auto-resume ${n} message${n > 1 ? 's' : ''} you sent just before. If any still need a reply, send it again.`;
+            const res = await tg(bot, 'sendMessage', {
+              chat_id: Number(g.chat_id), text,
+              ...(g.thread_id ? { message_thread_id: Number(g.thread_id) } : {}),
+            }, { source: 'boot-replay-notice', plainText: true });
+            return { ok: true, messageId: res?.message_id };
+          },
+          markSkipped: (row) => db.setInboundHandlerStatus({ chat_id: row.chat_id, msg_id: row.msg_id, status: 'replay-skipped' }),
+          logEvent,
+        },
+      });
+
       if (candidates.length > 0) {
-        console.log(`[replay] ${replayed} turns re-dispatched, ${skipped} skipped (already replied or no chat config)`);
+        console.log(`[replay] ${cleanShutdown ? 'clean restart' : 'crash'} — recovered ${result.recovered}, skipped ${result.skipped}, noticed ${result.noticed}${result.noticeFailed ? `, notice-failed ${result.noticeFailed}` : ''}`);
         logEvent('replay-on-boot', {
-          bot: BOT_NAME, replayed, skipped, total: candidates.length,
+          bot: BOT_NAME, clean: cleanShutdown,
+          recovered: result.recovered, skipped: result.skipped,
+          noticed: result.noticed, notice_failed: result.noticeFailed,
+          total: candidates.length,
         });
       }
     }