social-autoposter 1.6.49 → 1.6.50

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "social-autoposter",
-  "version": "1.6.49",
+  "version": "1.6.50",
   "description": "Automated social posting pipeline for Reddit, X/Twitter, LinkedIn, and Moltbook. Install as a Claude Code agent skill.",
   "bin": {
     "social-autoposter": "bin/cli.js"

package/scripts/linkedin_killswitch.py

@@ -82,6 +82,14 @@ NOTIFICATION_EMAIL = os.environ.get("NOTIFICATION_EMAIL", "i@m13v.com")
 RECOVERY_MIN_AGE_HOURS = float(os.environ.get("LINKEDIN_RECOVERY_MIN_AGE_HOURS", "24"))
 LINKEDIN_CDP_URL = os.environ.get("LINKEDIN_CDP_URL", "http://127.0.0.1:9556")
 
+# Stop-completely policy (2026-06-03): after the 24h wait, the recovery job runs
+# a read-only probe to see if the session healed on its own. We NEVER attempt a
+# programmatic login (anti-bot rule). If the probe still shows logged-out after
+# this many failed attempts, the session is genuinely dead: we mark the
+# killswitch terminal so the hourly job stops probing entirely and a human must
+# re-auth + clear. Default 1 == "wait 24h, try once, then stop completely".
+RECOVERY_MAX_ATTEMPTS = int(os.environ.get("LINKEDIN_RECOVERY_MAX_ATTEMPTS", "1"))
+
 VALID_SIGNALS = {
     "http_999",
     "authwall_redirect",
@@ -261,33 +269,42 @@ def engage(signal, detail="", run_log_path="", extra=None, send_email=True):
 _LOGIN_MARKERS = ("/login", "/checkpoint", "/uas/login", "linkedin.com/authwall")
 
 
-def _probe_linkedin_health(cdp_url):
+def _probe_linkedin_health(cdp_url, feed_only=False):
     """Gentle, read-only health probe of the LinkedIn session.
 
     Attaches (CDP) to the already-running linkedin-harness Chrome and does the
     minimal nav set the anti-bot carve-out allows: ONE nav to /feed/ (confirms
-    we are logged in) and ONE nav to the exact /in/me/recent-activity/comments/
-    endpoint that trips the killswitch (confirms it no longer bounces to the
-    authwall). No Voyager calls, no scroll loops, no permalink fan-out, no
-    clicks/typing, no programmatic login. Reuses an existing tab and never
-    closes the shared context.
-
-    Returns (healthy: bool, detail: str). Never raises.
+    we are logged in) and, unless feed_only, ONE nav to the exact
+    /in/me/recent-activity/comments/ endpoint that trips the killswitch (confirms
+    it no longer bounces to the authwall). No Voyager calls, no scroll loops, no
+    permalink fan-out, no clicks/typing, no programmatic login. Reuses an
+    existing tab and never closes the shared context.
+
+    feed_only=True is the per-run detection gate: a single /feed/ nav is enough
+    to tell "are we still logged in?" without touching the activity endpoint on
+    every healthy pipeline fire.
+
+    Returns (healthy: bool, detail: str, conclusive: bool). Never raises.
+    conclusive=True means we definitively observed login state (healthy feed, or
+    a redirect to the authwall/login/checkpoint). conclusive=False means we
+    could not determine it (CDP attach failed, nav timeout, Chrome down): an
+    infra hiccup, NOT evidence the session is dead, so callers must not engage
+    the killswitch or count it as a failed re-login attempt on this.
     """
     try:
         from playwright.sync_api import sync_playwright
     except Exception as e:
-        return False, "playwright import failed: {}".format(e)
+        return False, "playwright import failed: {}".format(e), False
 
     try:
         with sync_playwright() as p:
             try:
                 browser = p.chromium.connect_over_cdp(cdp_url, timeout=8000)
             except Exception as e:
-                return False, "cdp attach failed ({}): {}".format(cdp_url, e)
+                return False, "cdp attach failed ({}): {}".format(cdp_url, e), False
             contexts = browser.contexts
             if not contexts:
-                return False, "cdp attach: zero contexts"
+                return False, "cdp attach: zero contexts", False
             ctx = contexts[0]
 
             page = None
@@ -312,7 +329,15 @@ def _probe_linkedin_health(cdp_url):
                 page.wait_for_timeout(2000)
                 u1 = page.url or ""
                 if any(m in u1 for m in _LOGIN_MARKERS):
-                    return False, "feed redirected to auth: {}".format(u1)
+                    return False, "feed redirected to auth: {}".format(u1), True
+
+                if feed_only:
+                    title = ""
+                    try:
+                        title = page.title() or ""
+                    except Exception:
+                        pass
+                    return True, "feed renders (title={!r}, url={})".format(title, u1), True
 
                 # Nav 2: the exact endpoint that engaged the killswitch.
                 page.goto(
@@ -323,14 +348,14 @@ def _probe_linkedin_health(cdp_url):
                 page.wait_for_timeout(2000)
                 u2 = page.url or ""
                 if any(m in u2 for m in _LOGIN_MARKERS):
-                    return False, "activity endpoint redirected to auth: {}".format(u2)
+                    return False, "activity endpoint redirected to auth: {}".format(u2), True
 
                 title = ""
                 try:
                     title = page.title() or ""
                 except Exception:
                     pass
-                return True, "feed+activity render (title={!r}, url={})".format(title, u2)
+                return True, "feed+activity render (title={!r}, url={})".format(title, u2), True
             finally:
                 if page is not None and not reused:
                     try:
@@ -338,7 +363,7 @@ def _probe_linkedin_health(cdp_url):
                     except Exception:
                         pass
     except Exception as e:
-        return False, "probe exception: {}: {}".format(type(e).__name__, e)
+        return False, "probe exception: {}: {}".format(type(e).__name__, e), False
 
 
 def _send_recovery_email(detail, age_sec):
@@ -387,6 +412,97 @@ def _send_recovery_email(detail, age_sec):
         return False, "send failed: " + str(exc)
 
 
+def is_terminal():
+    """True if auto-recovery has given up (failed re-login after the 24h wait)
+    and a human must re-auth + clear. Once terminal, the hourly recovery job
+    stops probing entirely."""
+    p = read()
+    return bool(p and p.get("recovery_terminal"))
+
+
+def _record_failed_recovery(detail):
+    """A read-only recovery probe conclusively showed still-logged-out after the
+    24h wait. Increment the attempt counter on the live state file (preserving
+    the original ts so age keeps accruing) and, once attempts reach
+    RECOVERY_MAX_ATTEMPTS, flip recovery_terminal so we stop completely.
+
+    Returns (attempts: int, terminal: bool)."""
+    p = read() or {}
+    attempts = int(p.get("recovery_attempts", 0)) + 1
+    p["recovery_attempts"] = attempts
+    p["last_recovery_ts"] = _now_iso()
+    p["last_recovery_detail"] = str(detail)[:2000]
+    terminal = attempts >= RECOVERY_MAX_ATTEMPTS
+    if terminal:
+        p["recovery_terminal"] = True
+        p["recovery_terminal_ts"] = _now_iso()
+    _ensure_dir()
+    tmp = STATE_FILE + ".tmp"
+    with open(tmp, "w") as f:
+        json.dump(p, f, indent=2)
+        f.write("\n")
+    os.replace(tmp, STATE_FILE)
+    _append_trail({
+        "event": "recovery_failed",
+        "ts": _now_iso(),
+        "attempts": attempts,
+        "terminal": terminal,
+        "detail": str(detail)[:500],
+    })
+    return attempts, terminal
+
+
+def _send_terminal_email(detail, attempts, age_sec):
+    """Notify that auto-recovery gave up; manual re-auth required."""
+    try:
+        from google.auth.transport.requests import Request
+        from google.oauth2.credentials import Credentials
+        from googleapiclient.discovery import build
+
+        if not os.path.isfile(GMAIL_TOKEN_PATH):
+            return False, "gmail token missing"
+
+        creds = Credentials.from_authorized_user_file(GMAIL_TOKEN_PATH, GMAIL_SCOPES)
+        if creds.expired and creds.refresh_token:
+            creds.refresh(Request())
+            with open(GMAIL_TOKEN_PATH, "w") as f:
+                f.write(creds.to_json())
+
+        service = build("gmail", "v1", credentials=creds, cache_discovery=False)
+        age_h = round(age_sec / 3600.0, 1) if age_sec else "?"
+        subject = "[LI KILL] AUTO-RECOVERY FAILED, manual re-auth required"
+        body_lines = [
+            "LinkedIn auto-recovery has STOPPED COMPLETELY.",
+            "",
+            "After the " + str(RECOVERY_MIN_AGE_HOURS) + "h wait, the read-only probe",
+            "ran " + str(attempts) + " attempt(s) and the session was still logged out",
+            "(redirected to the authwall/login). Per the anti-bot rule we never",
+            "log in programmatically, so the hourly recovery job will now stop",
+            "probing and every LinkedIn pipeline stays paused until you act.",
+            "",
+            "Killswitch age at give-up: " + str(age_h) + "h",
+            "Last probe detail: " + str(detail),
+            "",
+            "To resume:",
+            "  1. Open the linkedin-harness Chrome (port 9556) and sign back in.",
+            "  2. Confirm /feed/ renders without an authwall.",
+            "  3. Clear the killswitch:",
+            "       python3 ~/social-autoposter/scripts/linkedin_killswitch.py clear",
+            "",
+            "State file: " + STATE_FILE,
+            "Trail file: " + TRAIL_FILE,
+        ]
+        body = _scrub_dashes("\n".join(body_lines))
+        msg = MIMEText(body, "plain", "utf-8")
+        msg["to"] = NOTIFICATION_EMAIL
+        msg["subject"] = _scrub_dashes(subject)
+        raw = base64.urlsafe_b64encode(msg.as_bytes()).decode("utf-8")
+        service.users().messages().send(userId="me", body={"raw": raw}).execute()
+        return True, "sent"
+    except Exception as exc:
+        return False, "send failed: " + str(exc)
+
+
 def clear():
     """Human ack: remove the flag. Trail row records who cleared it."""
     if not is_active():
@@ -444,6 +560,53 @@ def _cmd_clear(args):
     sys.exit(0)
 
 
+def _cmd_detect_gate(args):
+    """Per-run logout detector, called by ensure_linkedin_browser_for_backend so
+    ANY LinkedIn pipeline trips the killswitch on its natural next fire.
+
+    - If the killswitch is already active: no-op, exit 0 (the file gate / hourly
+      recovery already own the situation; don't double-probe).
+    - Otherwise run a single read-only /feed/ probe. If it CONCLUSIVELY shows
+      logged-out (redirect to authwall/login/checkpoint), engage the killswitch
+      (signal login_redirect) and exit 2 so the caller can abort this fire. The
+      flag pauses every other pipeline on its next fire and starts the 24h
+      recovery clock. Healthy or inconclusive (infra) -> exit 0, proceed."""
+    if is_active():
+        # Already flagged: nothing to detect. Stay silent + cheap.
+        sys.exit(0)
+    cdp_url = args.cdp_url or LINKEDIN_CDP_URL
+    healthy, detail, conclusive = _probe_linkedin_health(cdp_url, feed_only=True)
+    _append_trail({
+        "event": "detect_gate",
+        "ts": _now_iso(),
+        "healthy": healthy,
+        "conclusive": conclusive,
+        "detail": detail,
+    })
+    if healthy:
+        print("detect-gate: session healthy ({})".format(detail), file=sys.stderr)
+        sys.exit(0)
+    if not conclusive:
+        # Couldn't determine (CDP down, nav timeout). Don't engage on infra
+        # noise; let the pipeline's own SESSION_INVALID handling deal with it.
+        print("detect-gate: inconclusive ({}), proceeding".format(detail), file=sys.stderr)
+        sys.exit(0)
+    # Conclusively logged out. Trip the killswitch for the whole fleet.
+    run_log_path = os.environ.get("SAPS_RUN_LOG_PATH", "")
+    engage(
+        signal="login_redirect",
+        detail="detect-gate: {}".format(detail),
+        run_log_path=run_log_path,
+        extra={"detected_by": os.environ.get("SAPS_PIPELINE_NAME", "?"), "probe": "feed_only"},
+        send_email=not args.no_email,
+    )
+    print(
+        "detect-gate: LOGGED OUT, killswitch ENGAGED ({}); aborting this fire".format(detail),
+        file=sys.stderr,
+    )
+    sys.exit(2)
+
+
 def _cmd_recover_check(args):
     """Gate for the hourly recovery job: exit 0 only if the killswitch is
     active AND has been so for >= RECOVERY_MIN_AGE_HOURS. Lets the shell
@@ -451,6 +614,13 @@ def _cmd_recover_check(args):
     if not is_active():
         print("recover-check: killswitch not active, nothing to recover", file=sys.stderr)
         sys.exit(1)
+    if is_terminal():
+        print(
+            "recover-check: TERMINAL (auto-recovery gave up after failed re-login); "
+            "manual re-auth + clear required, not probing",
+            file=sys.stderr,
+        )
+        sys.exit(1)
     age = age_seconds()
     min_age = RECOVERY_MIN_AGE_HOURS * 3600
     if age is None:
@@ -484,6 +654,9 @@ def _cmd_recover(args):
     if not is_active():
         print(json.dumps({"recovered": False, "reason": "not_active"}))
         sys.exit(0)
+    if is_terminal():
+        print(json.dumps({"recovered": False, "reason": "terminal_manual_required"}))
+        sys.exit(0)
     age = age_seconds()
     min_age = RECOVERY_MIN_AGE_HOURS * 3600
     if not args.force and (age is None or age < min_age):
@@ -495,16 +668,38 @@ def _cmd_recover(args):
         sys.exit(0)
 
     cdp_url = args.cdp_url or LINKEDIN_CDP_URL
-    healthy, detail = _probe_linkedin_health(cdp_url)
+    healthy, detail, conclusive = _probe_linkedin_health(cdp_url)
     _append_trail({
         "event": "recover_probe",
         "ts": _now_iso(),
         "healthy": healthy,
+        "conclusive": conclusive,
         "detail": detail,
         "age_hours": (round(age / 3600.0, 2) if age else None),
     })
     if not healthy:
-        print(json.dumps({"recovered": False, "reason": "probe_unhealthy", "detail": detail}))
+        # Inconclusive (CDP down, nav timeout): infra hiccup, not a dead
+        # session. Do NOT count it as a failed re-login; just retry next hour.
+        if not conclusive:
+            print(json.dumps({
+                "recovered": False,
+                "reason": "probe_inconclusive",
+                "detail": detail,
+            }))
+            sys.exit(0)
+        # Conclusively still logged out after the 24h wait. Record the failed
+        # attempt; once we hit RECOVERY_MAX_ATTEMPTS we stop completely.
+        attempts, terminal = _record_failed_recovery(detail)
+        if terminal and not args.no_email:
+            ok, msg = _send_terminal_email(detail, attempts, age)
+            _append_trail({"event": "terminal_email", "ok": ok, "msg": msg})
+        print(json.dumps({
+            "recovered": False,
+            "reason": ("recovery_terminal" if terminal else "relogin_failed_retrying"),
+            "attempts": attempts,
+            "terminal": terminal,
+            "detail": detail,
+        }))
         sys.exit(0)
 
     clear()
@@ -532,6 +727,13 @@ def main():
 
     sub.add_parser("clear", help="clear the killswitch (human ack)")
 
+    dg = sub.add_parser(
+        "detect-gate",
+        help="per-run logout probe; engage + exit 2 if conclusively logged out",
+    )
+    dg.add_argument("--cdp-url", default="", help="harness CDP URL (default $LINKEDIN_CDP_URL)")
+    dg.add_argument("--no-email", action="store_true", help="skip engage alert email")
+
     sub.add_parser(
         "recover-check",
         help="exit 0 if active AND >= RECOVERY_MIN_AGE_HOURS old (else 1)",
@@ -551,6 +753,7 @@ def main():
         "status": _cmd_status,
         "engage": _cmd_engage,
         "clear": _cmd_clear,
+        "detect-gate": _cmd_detect_gate,
         "recover-check": _cmd_recover_check,
         "recover": _cmd_recover,
     }[args.cmd](args)

package/scripts/twitter_browser.py

@@ -531,9 +531,10 @@ def _wait_for_reply_textbox(page, total_timeout_ms=45000):
 
 # Post-action interstitials X shows AFTER a successful reply (e.g. the
 # "Unlock more on X" graduated-access sheet). They don't block the post that
-# triggered them, but the sheet stays up and overlays the composer on the NEXT
-# reply in a batch -> spurious reply_box_not_found for posts 2..N. We dismiss
-# them deterministically before looking for the reply box. Targeted by the
+# triggered them, but the sheet stays up on screen and would overlay the
+# composer on the NEXT reply in a batch -> spurious reply_box_not_found for
+# posts 2..N. We dismiss them deterministically right after each successful
+# post (not before the next reply), so the sheet never lingers. Targeted by the
 # sheet's CTA label so we never touch a real compose/confirm dialog (those have
 # no "Got it"); best-effort, fast, never raises.
 _OVERLAY_DISMISS_LABELS = ("Got it", "Dismiss")
@@ -841,12 +842,6 @@ def reply_to_tweet(tweet_url, text, apply_campaigns=True):
                     tweet_not_found = True
                     break
 
-                # A nudge sheet left over from the previous reply in this batch
-                # (e.g. "Unlock more on X") can sit on top of the composer and
-                # mask tweetTextarea_0. Clear it first so the wait below sees the
-                # real reply box instead of failing reply_box_not_found.
-                _dismiss_known_overlays(page)
-
                 reply_box = _wait_for_reply_textbox(page, total_timeout_ms=45000)
                 if reply_box:
                     break
@@ -904,6 +899,14 @@ def reply_to_tweet(tweet_url, text, apply_campaigns=True):
             except Exception:
                 verified = True
 
+            # Dismiss the post-success interstitial X shows right after a reply
+            # (e.g. the "Unlock more on X" graduated-access sheet). It animates
+            # in on top of the composer once the reply lands, so we close it
+            # here, immediately after the post succeeds, rather than before the
+            # next reply -> the sheet never lingers on screen and never masks
+            # the next reply box. Best-effort, fast, never raises.
+            _dismiss_known_overlays(page)
+
             # Clean up CDP session
             if _cdp_session:
                 try:

package/skill/lib/linkedin-backend.sh

@@ -313,6 +313,40 @@ ensure_linkedin_browser_for_backend() {
     # Always close leftover tabs from prior runs. Safe under acquire_lock
     # "linkedin-browser" serialization.
     cleanup_harness_tabs
+
+    # Per-run logout detection (2026-06-03). Every browser pipeline funnels
+    # through here before it touches LinkedIn, so this single call makes ANY
+    # pipeline trip the killswitch on its natural next fire if the harness
+    # Chrome has been logged out (999 / authwall / checkpoint), without editing
+    # the chflags-locked top-level scripts. detect-gate is a no-op when the
+    # killswitch is already active, and only ENGAGES on a CONCLUSIVE /feed/
+    # redirect to auth (infra hiccups -> proceed, so a flaky render never
+    # strands the pipeline). On a confirmed logout it engages the flag (which
+    # pauses every pipeline on its next fire + starts the 24h recovery clock)
+    # and returns 2, so we abort this fire instead of burning a Claude session
+    # on a dead session.
+    _linkedin_session_detect_gate
+}
+
+# Once-per-process guard mirrors _LI_PIPELINE_LOCK_HELD: run-linkedin.sh calls
+# ensure_linkedin_browser_for_backend in both Phase A and Phase B, and we do not
+# want two /feed/ probes per fire.
+_linkedin_session_detect_gate() {
+    if [ "${_LI_SESSION_PROBED:-0}" = "1" ]; then
+        return 0
+    fi
+    export _LI_SESSION_PROBED=1
+    local _py="${LINKEDIN_DISCOVER_PYTHON:-python3}"
+    # `|| _rc=$?` so a nonzero exit (e.g. 2 = logged out) is "handled" and does
+    # not trip a caller's `set -e` before we inspect the code ourselves.
+    local _rc=0
+    "$_py" "$HOME/social-autoposter/scripts/linkedin_killswitch.py" detect-gate \
+        --cdp-url "${LINKEDIN_CDP_URL:-$_BH_LINKEDIN_DEFAULT_URL}" >&2 || _rc=$?
+    if [ "$_rc" = "2" ]; then
+        echo "[$(date +%H:%M:%S)] detect-gate tripped the LinkedIn killswitch; aborting this fire" >&2
+        return 1
+    fi
+    return 0
 }
 
 defer_if_foreign_for_backend() {