social-autoposter 1.6.46 → 1.6.48

package/mcp/dist/index.js

@@ -327,7 +327,18 @@ async function postApproved(batchId, plan) {
     // twitter_browser.py's reply handler reads this env (inherited through
     // twitter_post_plan.py's subprocess). The cron pipeline doesn't set it, so the
     // A/B disclosure experiment keeps running on autopilot/cron and on Reddit.
-    const res = await runPython("scripts/twitter_post_plan.py", ["--plan", planPath(approvedBatch)], { timeoutMs: 900_000, env: { SAPS_SKIP_CAMPAIGN_SUFFIX: "1" } });
+    const res = await runPython("scripts/twitter_post_plan.py", ["--plan", planPath(approvedBatch)], {
+        timeoutMs: 900_000,
+        env: {
+            SAPS_SKIP_CAMPAIGN_SUFFIX: "1",
+            // The poster attaches to the twitter-harness Chrome over CDP. The cron
+            // pipeline exports this from skill/lib/twitter-backend.sh; the MCP path
+            // must set it explicitly or twitter_browser.py fails with "No twitter-
+            // harness Chrome reachable". Honor an inherited value (AppMaker / VM
+            // BYO-Chrome), else default to the local harness on port 9555.
+            TWITTER_CDP_URL: process.env.TWITTER_CDP_URL || "http://127.0.0.1:9555",
+        },
+    });
     let summary = res.stdout.trim();
     try {
         const lines = res.stdout.trim().split("\n");

package/mcp/dist/version.json

@@ -1 +1 @@
-{"version":"1.6.44"}
+{"version":"1.6.47"}

package/mcp-servers/browser-harness/server.py

@@ -44,10 +44,20 @@ from mcp.server.fastmcp import FastMCP
 # --- Config ---
 
 PORT = int(os.environ.get("BH_PORT", "9555"))
-PROFILE_DIR = Path.home() / ".claude" / "browser-profiles" / "browser-harness"
-PID_FILE = Path.home() / ".claude" / "browser-profiles" / "browser-harness.chrome.pid"
-LOG_FILE = Path.home() / ".claude" / "browser-profiles" / "browser-harness.chrome.log"
-MCP_LOG_FILE = Path.home() / ".claude" / "browser-profiles" / "browser-harness.mcp.log"
+
+# Profile name can be overridden via BH_PROFILE_NAME env so multiple harness
+# instances (twitter-harness on 9555, linkedin-harness on 9556, reddit-harness
+# on 9557) can run side by side on SEPARATE persistent profiles + PID files
+# without stomping each other's cookies/sessions. If this is hardcoded to
+# "browser-harness", every non-default-port instance lands on the Twitter
+# profile and shares one PID_FILE, so the per-instance ensure_chrome() calls
+# SIGKILL each other's Chrome (regression 2026-06-02, fixed by restoring this).
+# Default "browser-harness" keeps the existing Twitter setup unchanged.
+PROFILE_NAME = os.environ.get("BH_PROFILE_NAME", "browser-harness")
+PROFILE_DIR = Path.home() / ".claude" / "browser-profiles" / PROFILE_NAME
+PID_FILE = Path.home() / ".claude" / "browser-profiles" / f"{PROFILE_NAME}.chrome.pid"
+LOG_FILE = Path.home() / ".claude" / "browser-profiles" / f"{PROFILE_NAME}.chrome.log"
+MCP_LOG_FILE = Path.home() / ".claude" / "browser-profiles" / f"{PROFILE_NAME}.mcp.log"
 
 
 def _detect_chrome_bin() -> str:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "social-autoposter",
-  "version": "1.6.46",
+  "version": "1.6.48",
   "description": "Automated social posting pipeline for Reddit, X/Twitter, LinkedIn, and Moltbook. Install as a Claude Code agent skill.",
   "bin": {
     "social-autoposter": "bin/cli.js"

package/scripts/_db_update.py

@@ -0,0 +1,20 @@
+#!/usr/bin/env python3
+"""Scratch driver: read JSON list of {post_id, session, text} from argv[1] and
+run link_edit_helper mark-edited + dm_short_links backfill-post for each.
+Gitignored scratch helper for the reddit link-edit run."""
+import json, subprocess, sys, os
+
+HERE = os.path.dirname(os.path.abspath(__file__))
+items = json.load(open(sys.argv[1]))
+for it in items:
+    pid = str(it["post_id"]); sess = it["session"]; text = it["text"]
+    src = it.get("source", "plain_url_ab_skip")
+    r1 = subprocess.run([sys.executable, os.path.join(HERE, "link_edit_helper.py"),
+                         "mark-edited", "--post-id", pid, "--content", text, "--source", src],
+                        capture_output=True, text=True)
+    r2 = subprocess.run([sys.executable, os.path.join(HERE, "dm_short_links.py"),
+                         "backfill-post", "--minted-session", sess, "--post-id", pid],
+                        capture_output=True, text=True)
+    bf = (r2.stdout or "").strip().splitlines()[-1:] or [""]
+    print(f"post {pid}: mark_edited_rc={r1.returncode} backfill={bf[0]}"
+          + (f" ERR1={r1.stderr.strip()}" if r1.returncode else ""))

package/scripts/cleanup_harness_tabs.py

@@ -36,8 +36,21 @@ def main() -> int:
     if len(pages) <= 1:
         print(f"[cleanup_harness_tabs] {len(pages)} page tab(s), no cleanup needed")
         return 0
+    # Keep a REAL (http/https) tab when one exists, not blindly pages[0]. The
+    # /json order is roughly most-recently-active first, so a freshly-spawned
+    # about:blank can sit at index 0 and the old code would keep the blank and
+    # close the live x.com tab the harness daemon is attached to. Closing the
+    # daemon's tab forces it to re-attach and re-spawn another about:blank, which
+    # is exactly the orphan-tab churn this script is meant to clean up. Falling
+    # back to pages[0] preserves the prior behavior when every tab is blank.
+    def _is_real(t):
+        return (t.get("url") or "").startswith(("http://", "https://"))
+
+    keep = next((t for t in pages if _is_real(t)), pages[0])
     closed = 0
-    for t in pages[1:]:
+    for t in pages:
+        if t is keep:
+            continue
         tid = t.get("id")
         if not tid:
             continue
@@ -46,7 +59,8 @@ def main() -> int:
             closed += 1
         except Exception:
             pass
-    print(f"[cleanup_harness_tabs] closed {closed}/{len(pages) - 1} extra page tabs (kept 1)")
+    kept_kind = "1 real" if _is_real(keep) else "1"
+    print(f"[cleanup_harness_tabs] closed {closed}/{len(pages) - 1} extra page tabs (kept {kept_kind})")
     return 0
 
 

package/scripts/linkedin_killswitch.py

@@ -54,14 +54,34 @@ from datetime import datetime, timezone
 from email.mime.text import MIMEText
 
 
-STATE_DIR = os.path.expanduser("~/.claude/social-autoposter")
-STATE_FILE = os.path.join(STATE_DIR, "linkedin.killswitch")
-TRAIL_FILE = os.path.join(STATE_DIR, "linkedin.killswitch.trail.jsonl")
+# State paths are env-overridable so the auto-recovery job can be tested
+# against a throwaway killswitch file without touching the live one.
+STATE_DIR = os.path.expanduser(
+    os.environ.get("LINKEDIN_KILLSWITCH_DIR", "~/.claude/social-autoposter")
+)
+STATE_FILE = os.path.expanduser(
+    os.environ.get("LINKEDIN_KILLSWITCH_FILE", os.path.join(STATE_DIR, "linkedin.killswitch"))
+)
+TRAIL_FILE = os.path.expanduser(
+    os.environ.get(
+        "LINKEDIN_KILLSWITCH_TRAIL", os.path.join(STATE_DIR, "linkedin.killswitch.trail.jsonl")
+    )
+)
 
 GMAIL_TOKEN_PATH = os.path.expanduser("~/gmail-api/token_i_at_m13v.com.json")
 GMAIL_SCOPES = ["https://mail.google.com/"]
 NOTIFICATION_EMAIL = os.environ.get("NOTIFICATION_EMAIL", "i@m13v.com")
 
+# Auto-recovery (2026-06-03): after the killswitch has been active this long,
+# an hourly launchd job (skill/linkedin-recovery.sh) runs a gentle read-only
+# probe of LinkedIn. If the session is healthy again, it clears the flag, which
+# resumes every LinkedIn pipeline on its next fire (they all gate on this file).
+# The wait protects the account: per the anti-bot rule we let the session sit
+# idle ~24h after a 999/authwall before re-touching it, rather than hammering
+# the login wall on every cron tick. Override for testing.
+RECOVERY_MIN_AGE_HOURS = float(os.environ.get("LINKEDIN_RECOVERY_MIN_AGE_HOURS", "24"))
+LINKEDIN_CDP_URL = os.environ.get("LINKEDIN_CDP_URL", "http://127.0.0.1:9556")
+
 VALID_SIGNALS = {
     "http_999",
     "authwall_redirect",
@@ -97,6 +117,25 @@ def read():
         return {"signal": "unknown", "detail": "state file unreadable"}
 
 
+def _parse_ts(ts):
+    """Parse an ISO Z timestamp like 2026-06-03T07:23:10Z. None on failure."""
+    try:
+        return datetime.strptime(ts, "%Y-%m-%dT%H:%M:%SZ").replace(tzinfo=timezone.utc)
+    except Exception:
+        return None
+
+
+def age_seconds():
+    """Seconds since the killswitch engaged, or None if inactive/unparseable."""
+    p = read()
+    if not p:
+        return None
+    dt = _parse_ts(p.get("ts", ""))
+    if dt is None:
+        return None
+    return (datetime.now(timezone.utc) - dt).total_seconds()
+
+
 def _append_trail(payload):
     _ensure_dir()
     try:
@@ -219,6 +258,135 @@ def engage(signal, detail="", run_log_path="", extra=None, send_email=True):
     return on_disk
 
 
+_LOGIN_MARKERS = ("/login", "/checkpoint", "/uas/login", "linkedin.com/authwall")
+
+
+def _probe_linkedin_health(cdp_url):
+    """Gentle, read-only health probe of the LinkedIn session.
+
+    Attaches (CDP) to the already-running linkedin-harness Chrome and does the
+    minimal nav set the anti-bot carve-out allows: ONE nav to /feed/ (confirms
+    we are logged in) and ONE nav to the exact /in/me/recent-activity/comments/
+    endpoint that trips the killswitch (confirms it no longer bounces to the
+    authwall). No Voyager calls, no scroll loops, no permalink fan-out, no
+    clicks/typing, no programmatic login. Reuses an existing tab and never
+    closes the shared context.
+
+    Returns (healthy: bool, detail: str). Never raises.
+    """
+    try:
+        from playwright.sync_api import sync_playwright
+    except Exception as e:
+        return False, "playwright import failed: {}".format(e)
+
+    try:
+        with sync_playwright() as p:
+            try:
+                browser = p.chromium.connect_over_cdp(cdp_url, timeout=8000)
+            except Exception as e:
+                return False, "cdp attach failed ({}): {}".format(cdp_url, e)
+            contexts = browser.contexts
+            if not contexts:
+                return False, "cdp attach: zero contexts"
+            ctx = contexts[0]
+
+            page = None
+            reused = False
+            for pg in ctx.pages:
+                u = pg.url or ""
+                if "linkedin.com" in u and "login" not in u and "checkpoint" not in u:
+                    page, reused = pg, True
+                    break
+            if page is None and ctx.pages:
+                page, reused = ctx.pages[0], True
+            if page is None:
+                page = ctx.new_page()
+
+            try:
+                # Nav 1: /feed/ — are we still logged in?
+                page.goto(
+                    "https://www.linkedin.com/feed/",
+                    wait_until="domcontentloaded",
+                    timeout=30000,
+                )
+                page.wait_for_timeout(2000)
+                u1 = page.url or ""
+                if any(m in u1 for m in _LOGIN_MARKERS):
+                    return False, "feed redirected to auth: {}".format(u1)
+
+                # Nav 2: the exact endpoint that engaged the killswitch.
+                page.goto(
+                    "https://www.linkedin.com/in/me/recent-activity/comments/",
+                    wait_until="domcontentloaded",
+                    timeout=30000,
+                )
+                page.wait_for_timeout(2000)
+                u2 = page.url or ""
+                if any(m in u2 for m in _LOGIN_MARKERS):
+                    return False, "activity endpoint redirected to auth: {}".format(u2)
+
+                title = ""
+                try:
+                    title = page.title() or ""
+                except Exception:
+                    pass
+                return True, "feed+activity render (title={!r}, url={})".format(title, u2)
+            finally:
+                if page is not None and not reused:
+                    try:
+                        page.close()
+                    except Exception:
+                        pass
+    except Exception as e:
+        return False, "probe exception: {}: {}".format(type(e).__name__, e)
+
+
+def _send_recovery_email(detail, age_sec):
+    """Notify that the killswitch auto-cleared after a healthy probe."""
+    try:
+        from google.auth.transport.requests import Request
+        from google.oauth2.credentials import Credentials
+        from googleapiclient.discovery import build
+
+        if not os.path.isfile(GMAIL_TOKEN_PATH):
+            return False, "gmail token missing"
+
+        creds = Credentials.from_authorized_user_file(GMAIL_TOKEN_PATH, GMAIL_SCOPES)
+        if creds.expired and creds.refresh_token:
+            creds.refresh(Request())
+            with open(GMAIL_TOKEN_PATH, "w") as f:
+                f.write(creds.to_json())
+
+        service = build("gmail", "v1", credentials=creds, cache_discovery=False)
+        age_h = round(age_sec / 3600.0, 1) if age_sec else "?"
+        subject = "[LI KILL] RECOVERED auto-probe healthy"
+        body_lines = [
+            "LinkedIn killswitch auto-cleared.",
+            "",
+            "The hourly recovery probe found the session healthy after the",
+            "killswitch had been active for " + str(age_h) + "h, so it cleared",
+            "the flag. Every LinkedIn pipeline resumes on its next launchd fire.",
+            "",
+            "Probe detail: " + str(detail),
+            "",
+            "If LinkedIn was NOT actually healthy, re-engage manually:",
+            "  python3 ~/social-autoposter/scripts/linkedin_killswitch.py \\",
+            "    engage --signal manual --detail 'auto-recovery false positive'",
+            "",
+            "State file: " + STATE_FILE,
+            "Trail file: " + TRAIL_FILE,
+        ]
+        body = _scrub_dashes("\n".join(body_lines))
+        msg = MIMEText(body, "plain", "utf-8")
+        msg["to"] = NOTIFICATION_EMAIL
+        msg["subject"] = _scrub_dashes(subject)
+        raw = base64.urlsafe_b64encode(msg.as_bytes()).decode("utf-8")
+        service.users().messages().send(userId="me", body={"raw": raw}).execute()
+        return True, "sent"
+    except Exception as exc:
+        return False, "send failed: " + str(exc)
+
+
 def clear():
     """Human ack: remove the flag. Trail row records who cleared it."""
     if not is_active():
@@ -276,6 +444,78 @@ def _cmd_clear(args):
     sys.exit(0)
 
 
+def _cmd_recover_check(args):
+    """Gate for the hourly recovery job: exit 0 only if the killswitch is
+    active AND has been so for >= RECOVERY_MIN_AGE_HOURS. Lets the shell
+    wrapper decide whether to even bring up Chrome (no-op most hours)."""
+    if not is_active():
+        print("recover-check: killswitch not active, nothing to recover", file=sys.stderr)
+        sys.exit(1)
+    age = age_seconds()
+    min_age = RECOVERY_MIN_AGE_HOURS * 3600
+    if age is None:
+        print(
+            "recover-check: active but ts unparseable, manual clear required",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+    if age < min_age:
+        print(
+            "recover-check: active but only {:.1f}h old (< {}h), waiting".format(
+                age / 3600.0, RECOVERY_MIN_AGE_HOURS
+            ),
+            file=sys.stderr,
+        )
+        sys.exit(1)
+    print(
+        "recover-check: eligible (active {:.1f}h >= {}h)".format(
+            age / 3600.0, RECOVERY_MIN_AGE_HOURS
+        ),
+        file=sys.stderr,
+    )
+    sys.exit(0)
+
+
+def _cmd_recover(args):
+    """Run the gentle probe (Chrome must already be up); clear + email on health.
+
+    Re-checks the age gate itself (unless --force) so it is safe to call
+    directly, not just behind recover-check."""
+    if not is_active():
+        print(json.dumps({"recovered": False, "reason": "not_active"}))
+        sys.exit(0)
+    age = age_seconds()
+    min_age = RECOVERY_MIN_AGE_HOURS * 3600
+    if not args.force and (age is None or age < min_age):
+        print(json.dumps({
+            "recovered": False,
+            "reason": "too_young",
+            "age_hours": (round(age / 3600.0, 2) if age else None),
+        }))
+        sys.exit(0)
+
+    cdp_url = args.cdp_url or LINKEDIN_CDP_URL
+    healthy, detail = _probe_linkedin_health(cdp_url)
+    _append_trail({
+        "event": "recover_probe",
+        "ts": _now_iso(),
+        "healthy": healthy,
+        "detail": detail,
+        "age_hours": (round(age / 3600.0, 2) if age else None),
+    })
+    if not healthy:
+        print(json.dumps({"recovered": False, "reason": "probe_unhealthy", "detail": detail}))
+        sys.exit(0)
+
+    clear()
+    _append_trail({"event": "recover_clear", "ts": _now_iso(), "detail": detail})
+    if not args.no_email:
+        ok, msg = _send_recovery_email(detail, age)
+        _append_trail({"event": "recover_email", "ok": ok, "msg": msg})
+    print(json.dumps({"recovered": True, "detail": detail}))
+    sys.exit(0)
+
+
 def main():
     parser = argparse.ArgumentParser(description="LinkedIn pipeline killswitch")
     sub = parser.add_subparsers(dest="cmd", required=True)
@@ -292,12 +532,27 @@ def main():
 
     sub.add_parser("clear", help="clear the killswitch (human ack)")
 
+    sub.add_parser(
+        "recover-check",
+        help="exit 0 if active AND >= RECOVERY_MIN_AGE_HOURS old (else 1)",
+    )
+
+    r = sub.add_parser(
+        "recover",
+        help="gentle probe; clear + email on health (Chrome must be up)",
+    )
+    r.add_argument("--cdp-url", default="", help="harness CDP URL (default $LINKEDIN_CDP_URL)")
+    r.add_argument("--no-email", action="store_true", help="skip recovery email")
+    r.add_argument("--force", action="store_true", help="skip the age gate")
+
     args = parser.parse_args()
     {
         "check": _cmd_check,
         "status": _cmd_status,
         "engage": _cmd_engage,
         "clear": _cmd_clear,
+        "recover-check": _cmd_recover_check,
+        "recover": _cmd_recover,
     }[args.cmd](args)
 
 

package/scripts/qualified_query_bank.py

@@ -243,14 +243,35 @@ def main():
                 continue
             bank = build_bank(name, args.min_likes, args.min_clicks, args.limit)
             proven_size = len(bank)
+            invent_added = 0
             if not args.no_invented:
                 invented = fetch_invented_queries(name, args.invent_min_supply)
                 bank = merge_invented(bank, invented)
+                invent_added = len(bank) - proven_size
+            # Cold-start bootstrap: a freshly-configured project has no proven
+            # queries (no post history) AND no invented ones (invent_topics.py
+            # hasn't run for it yet), so the bank is empty -> the cycle scans
+            # nothing and returns 0 drafts on every early cycle (the dead-on-
+            # arrival problem). Fall back to the project's seeded search_topic AS
+            # the query so there's something to scrape on day one. Proven +
+            # invented queries supersede this automatically as they accumulate.
+            # (cold-start fallback, 2026-06-03)
+            cold_start = False
+            if not bank:
+                topic = ((p.get("search_topic") if isinstance(p, dict) else "") or "").strip()
+                if topic:
+                    bank = [{
+                        "project": name,
+                        "query": f"{topic} -filter:replies",
+                        "search_topic": topic,
+                        "likes": 0, "clicks": 0, "posts": 0,
+                    }]
+                    cold_start = True
             combined.extend(bank)
-            invent_added = len(bank) - proven_size
             print(f"qualified_query_bank: project={name!r} -> {proven_size} proven "
-                  f"+ {invent_added} invented = {len(bank)} queries",
-                  file=sys.stderr)
+                  f"+ {invent_added} invented"
+                  + (" + 1 cold-start(topic)" if cold_start else "")
+                  + f" = {len(bank)} queries", file=sys.stderr)
         json.dump(combined, sys.stdout)
         print()
         print(f"qualified_query_bank: combined bank = {len(combined)} queries across "

package/skill/lib/linkedin-backend.sh

@@ -276,6 +276,22 @@ ensure_linkedin_browser_for_backend() {
                 _extra+=(--window-size="${BH_LINKEDIN_WINDOW_SIZE:-1024,1013}")
                 ;;
         esac
+        # Self-heal (2026-06-03): reap any stale Chrome holding THIS profile dir
+        # but not answering CDP on our port, else the relaunch hands off via the
+        # SingletonLock and loops "failed to start within 12s". Exact-dir match
+        # (trailing space) so this never touches the twitter browser-harness
+        # profile. See twitter-backend.sh for the regression that motivated this.
+        local _prof_dir="$HOME/.claude/browser-profiles/browser-harness-linkedin"
+        local _stale_pids
+        _stale_pids=$(pgrep -f -- "--user-data-dir=$_prof_dir " 2>/dev/null || true)
+        if [ -n "$_stale_pids" ] && ! curl -sf --max-time 2 -o /dev/null http://127.0.0.1:9556/json/version 2>/dev/null; then
+            echo "[$(date +%H:%M:%S)] CDP down but Chrome still holds $_prof_dir (pids: $(echo $_stale_pids | tr '\n' ' ')); reaping stale profile owner before relaunch" >&2
+            kill $_stale_pids 2>/dev/null || true
+            sleep 2
+            _stale_pids=$(pgrep -f -- "--user-data-dir=$_prof_dir " 2>/dev/null || true)
+            [ -n "$_stale_pids" ] && { kill -9 $_stale_pids 2>/dev/null || true; sleep 1; }
+            rm -f "$_prof_dir/SingletonLock" "$_prof_dir/SingletonSocket" "$_prof_dir/SingletonCookie" 2>/dev/null || true
+        fi
         "$_chrome_bin" \
             --remote-debugging-port=9556 \
             --user-data-dir="$HOME/.claude/browser-profiles/browser-harness-linkedin" \

package/skill/lib/reddit-backend.sh

@@ -187,6 +187,22 @@ ensure_reddit_browser_for_backend() {
                 _extra+=(--window-size="${BH_REDDIT_WINDOW_SIZE:-911,1016}")
                 ;;
         esac
+        # Self-heal (2026-06-03): reap any stale Chrome holding THIS profile dir
+        # but not answering CDP on our port, else the relaunch hands off via the
+        # SingletonLock and loops "failed to start within 12s". Exact-dir match
+        # (trailing space) keeps this scoped to reddit-harness only. See
+        # twitter-backend.sh for the regression that motivated this.
+        local _prof_dir="$HOME/.claude/browser-profiles/reddit-harness"
+        local _stale_pids
+        _stale_pids=$(pgrep -f -- "--user-data-dir=$_prof_dir " 2>/dev/null || true)
+        if [ -n "$_stale_pids" ] && ! curl -sf --max-time 2 -o /dev/null http://127.0.0.1:9557/json/version 2>/dev/null; then
+            echo "[$(date +%H:%M:%S)] CDP down but Chrome still holds $_prof_dir (pids: $(echo $_stale_pids | tr '\n' ' ')); reaping stale profile owner before relaunch" >&2
+            kill $_stale_pids 2>/dev/null || true
+            sleep 2
+            _stale_pids=$(pgrep -f -- "--user-data-dir=$_prof_dir " 2>/dev/null || true)
+            [ -n "$_stale_pids" ] && { kill -9 $_stale_pids 2>/dev/null || true; sleep 1; }
+            rm -f "$_prof_dir/SingletonLock" "$_prof_dir/SingletonSocket" "$_prof_dir/SingletonCookie" 2>/dev/null || true
+        fi
         "$_chrome_bin" \
             --remote-debugging-port=9557 \
             --user-data-dir="$HOME/.claude/browser-profiles/reddit-harness" \

package/skill/lib/twitter-backend.sh

@@ -205,6 +205,26 @@ ensure_twitter_browser_for_backend() {
         # re-injection needed. Matches the flags the Playwright browser agents
         # already use. (Root-cause persistence fix, 2026-06-02; the cookie
         # mirror + restore_twitter_session.py remain as the safety net.)
+        # Self-heal (2026-06-03): if a Chrome already holds THIS profile dir but
+        # is not answering CDP on our port, a fresh launch hands off to it via
+        # Chrome's SingletonLock and exits without ever binding our port — the
+        # old "failed to start within 12s" loop (8h Twitter outage overnight
+        # 2026-06-02/03, root cause: a server.py regression that dropped
+        # BH_PROFILE_NAME and collapsed the linkedin/twitter harness profiles
+        # onto this one, stranding an orphan on 9556). Reap the stale owner of
+        # our EXACT profile dir (trailing space in the pattern so browser-harness
+        # never matches browser-harness-linkedin) before relaunching.
+        local _prof_dir="$HOME/.claude/browser-profiles/browser-harness"
+        local _stale_pids
+        _stale_pids=$(pgrep -f -- "--user-data-dir=$_prof_dir " 2>/dev/null || true)
+        if [ -n "$_stale_pids" ] && ! curl -sf --max-time 2 -o /dev/null http://127.0.0.1:9555/json/version 2>/dev/null; then
+            echo "[$(date +%H:%M:%S)] CDP down but Chrome still holds $_prof_dir (pids: $(echo $_stale_pids | tr '\n' ' ')); reaping stale profile owner before relaunch" >&2
+            kill $_stale_pids 2>/dev/null || true
+            sleep 2
+            _stale_pids=$(pgrep -f -- "--user-data-dir=$_prof_dir " 2>/dev/null || true)
+            [ -n "$_stale_pids" ] && { kill -9 $_stale_pids 2>/dev/null || true; sleep 1; }
+            rm -f "$_prof_dir/SingletonLock" "$_prof_dir/SingletonSocket" "$_prof_dir/SingletonCookie" 2>/dev/null || true
+        fi
         "$_chrome_bin" \
             --remote-debugging-port=9555 \
             --user-data-dir="$HOME/.claude/browser-profiles/browser-harness" \

package/skill/linkedin-recovery.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+# linkedin-recovery.sh — hourly auto-recovery for the LinkedIn killswitch.
+#
+# Problem this solves: when LinkedIn returns an HTTP 999 / authwall, the
+# killswitch (scripts/linkedin_killswitch.py) engages and every LinkedIn
+# pipeline self-aborts at startup until a human re-auths and clears the flag.
+# Most of the time the 999 is transient (a momentary rate-limit), the session
+# cookies stay valid, and the only thing keeping LinkedIn down is the flag
+# itself, which never auto-clears. That stranded the pipeline overnight on
+# 2026-06-03.
+#
+# This job, fired hourly by launchd (com.m13v.social-linkedin-recovery), does:
+#   1. recover-check — proceed ONLY if the killswitch is active AND has been so
+#      for >= LINKEDIN_RECOVERY_MIN_AGE_HOURS (default 24h). The 24h wait is the
+#      anti-bot rule: let the session sit idle after a 999 rather than hammering
+#      the login wall every tick. Not eligible -> exit immediately (no Chrome).
+#   2. Bring up the linkedin-harness Chrome (port 9556) via
+#      ensure_linkedin_browser_for_backend (also takes the pipeline lock).
+#   3. recover — a gentle read-only probe (ONE nav to /feed/, ONE nav to the
+#      recent-activity/comments endpoint that tripped it). If healthy, it clears
+#      the killswitch and emails [LI KILL] RECOVERED.
+#
+# When the flag clears, the six LinkedIn launchd jobs resume on their next fire
+# (they all gate on the killswitch file). There is NO launchctl load/unload:
+# the jobs were never unloaded, only gated, so clearing the flag is the resume.
+#
+# This script is a no-op (instant exit, no Chrome) on every hour the killswitch
+# is inactive or younger than the threshold, so it is safe to leave loaded.
+
+set -uo pipefail
+
+REPO_DIR="$HOME/social-autoposter"
+LOG_DIR="$REPO_DIR/skill/logs"
+mkdir -p "$LOG_DIR"
+LOG="$LOG_DIR/linkedin-recovery.log"
+
+log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" | tee -a "$LOG" >&2; }
+
+PY="/opt/homebrew/bin/python3"
+[ -x "$PY" ] || PY="/usr/bin/python3"
+
+# Gate: only proceed if the killswitch is active AND >= threshold old.
+# No Chrome launch otherwise — this is the common (no-op) path.
+if ! "$PY" "$REPO_DIR/scripts/linkedin_killswitch.py" recover-check >>"$LOG" 2>&1; then
+    exit 0
+fi
+
+log "killswitch eligible for auto-recovery; bringing up harness Chrome for gentle probe"
+
+# linkedin-backend.sh exports LINKEDIN_CDP_URL + LINKEDIN_DISCOVER_PYTHON and
+# provides ensure_linkedin_browser_for_backend (launches port-9556 Chrome and
+# acquires the cross-pipeline lock). Identify ourselves as the lock holder.
+export SAPS_PIPELINE_NAME="linkedin-recovery"
+# shellcheck disable=SC1091
+source "$REPO_DIR/skill/lib/linkedin-backend.sh"
+
+if ! ensure_linkedin_browser_for_backend; then
+    log "ERROR: could not bring up linkedin-harness Chrome; will retry next hour"
+    exit 0
+fi
+
+# The probe needs a Playwright-capable interpreter (3.14 lacks it; the backend
+# resolves a working one into LINKEDIN_DISCOVER_PYTHON).
+PROBE_PY="${LINKEDIN_DISCOVER_PYTHON:-$PY}"
+RESULT="$("$PROBE_PY" "$REPO_DIR/scripts/linkedin_killswitch.py" recover \
+    --cdp-url "$LINKEDIN_CDP_URL" 2>>"$LOG")"
+log "recover result: $RESULT"
+
+# On recovery the flag is now gone; the six LinkedIn jobs resume on their next
+# launchd fire. Nothing to load/unload here.
+exit 0