Addresses Greptile review feedback:
- ChromaSync: replace PID-based sort with ps etime column + parseElapsedTime()
for reliable age ordering (PIDs wrap and don't guarantee ordering)
- ProcessManager: filter out entries with unparseable etime (-1) before
sorting to prevent sort corruption in cleanupExcessChromaProcesses()
During SIGHUP testing with 6+ active sessions, ChromaSync.ensureConnection()
had no mutex — concurrent fire-and-forget syncObservation() calls each spawned
a chroma-mcp subprocess via StdioClientTransport, creating 641 orphans in ~5min.
Error-driven reconnection formed a positive feedback loop amplifying the storm.
Defense layers:
- Layer 0: Connection mutex via promise memoization (prevents concurrent spawns)
- Layer 1: Pre-spawn process count guard using execFileSync('ps') (kills excess)
- Layer 2: Hardened close() with try-finally + Unix pkill in GracefulShutdown
- Layer 3: Count-based orphan reaper in ProcessManager (not age-based)
- Layer 4: Circuit breaker stops retries after 3 consecutive failures for 60s
Closes#1063, closes#695
Relates to #1010, #707
Root cause: registerSignalHandlers() handled SIGTERM/SIGINT but not
SIGHUP. When the parent hook process exits, the kernel sends SIGHUP
to the daemon, causing immediate termination (default signal action).
Belt-and-suspenders fix:
1. SIGHUP handler: ignore in daemon mode, graceful shutdown otherwise
2. setsid: spawn daemon in new session on Linux (prevents SIGHUP delivery)
3. Global unhandledRejection/uncaughtException guards in daemon mode
Missing return statement and closing brace in the programming errors
check caused a build failure after merging main.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Three fixes to make OpenClaw agent observations work end-to-end:
1. Session init in before_agent_start — the worker's privacy check
requires a stored user prompt; without calling /api/sessions/init,
all observations were skipped as "private"
2. Race condition fix in agent_end — await summarize before sending
complete, preventing session deletion before in-flight observation
POSTs arrive
3. OAuth token pass-through in buildIsolatedEnv — spawned Claude CLI
processes now receive CLAUDE_CODE_OAUTH_TOKEN from the worker's
env when no explicit API key is configured
Also adds agent-specific emoji mapping and dynamic project naming
for the Telegram observation feed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Reduce timeouts to eliminate 10-30s startup delay when worker is dead
(common on WSL2 after hibernate). Add stale PID detection, graceful
error handling across all handlers, and error classification that
distinguishes worker unavailability from handler bugs.
- HEALTH_CHECK 30s→3s, new POST_SPAWN_WAIT (5s), PORT_IN_USE_WAIT (3s)
- isProcessAlive() with EPERM handling, cleanStalePidFile()
- getPluginVersion() try-catch for shutdown race (#1042)
- isWorkerUnavailableError: transport+5xx+429→exit 0, 4xx→exit 2
- No-op handler for unknown event types (#984)
- Wrap all handler fetch calls in try-catch for graceful degradation
- CLAUDE_MEM_HEALTH_TIMEOUT_MS env var override with validation
1. ProcessManager: Migrate spawnDaemon() from WMIC to PowerShell Start-Process
- WMIC deprecated in Windows 11, PowerShell inherits env vars properly
- Use -WindowStyle Hidden to prevent console popups
- Fix redundant backslash escaping in PowerShell $_ variables
2. ChromaSync: Re-enable vector search on Windows
- Remove overly defensive platform check that disabled all semantic search
- Worker daemon starts with -WindowStyle Hidden; child processes inherit
- MCP SDK's StdioClientTransport uses shell:false, no new console created
3. worker-service: Unified DB-ready gate middleware
- Replace single-endpoint /api/sessions/init wait with global middleware
- Hold all DB-dependent requests until database is initialized (30s timeout)
- Whitelist static assets, /health, and viewer page for immediate response
- Separate dbReadyPromise (DB only) from initializationComplete (full init)
- Fixes "Database not initialized" errors on /stream, /summarize, /init
4. EnvManager: Switch from allowlist to blocklist for subprocess env
- Only strip ANTHROPIC_API_KEY to prevent Issue #733 billing hijack
- Pass through all other vars (ANTHROPIC_AUTH_TOKEN, ANTHROPIC_BASE_URL, etc.)
- Simpler, less fragile than maintaining an exhaustive system vars allowlist
Cherry-picked source changes from PR #657 (224 commits behind main).
Adds `claude-mem generate` and `claude-mem clean` CLI commands:
- New src/cli/claude-md-commands.ts with generateClaudeMd() and cleanClaudeMd()
- Worker service generate/clean case handlers with --dry-run support
- CLAUDE_MD logger component type
- Uses shared isDirectChild from path-utils.ts (DRY improvement over PR original)
Skipped from PR: 91 CLAUDE.md file deletions (stale), build artifacts,
.claude/plans/ dev artifact, smart-install.js shell alias auto-injection
(aggressive profile modification without consent).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Cherry-picked both PRs to main (both had merge conflicts with current main).
PR #920 (@Spunky84): CLAUDE_MEM_EXCLUDED_PROJECTS setting with glob patterns
to exclude entire projects from memory tracking (privacy/confidentiality).
Early-exit in session-init and observation handlers. 11 unit tests.
PR #699 (@leepokai): CLAUDE_MEM_FOLDER_MD_EXCLUDE setting with JSON array
of paths to exclude from CLAUDE.md file generation (fixes SwiftUI/Xcode
build conflicts and drizzle kit migration failures). Closes#620.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds save_memory MCP tool allowing users to manually save observations
for semantic search. Source changes cherry-picked from PR #662 by
@darconada (build artifact conflicts resolved by direct application).
Closes#645.
Co-Authored-By: darconadalabarga <darconada@arsys.es>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Cherry-picked from PR #844 by @thusdigital. Sessions stayed in active
sessions map forever after summarize, causing the orphan reaper to think
all processes were still active. Adds session-complete as Stop phase 2
hook that calls POST /api/sessions/complete to remove sessions from the
active map, allowing the reaper to correctly identify and clean up
orphaned worker processes. Fixes#842.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Cherry-picked source changes from PR #889 by @Et9797. Fixes#846.
Key changes:
- Add ensureMemorySessionIdRegistered() guard in SessionStore.ts
- Add ON UPDATE CASCADE migration (schema v21) for observations and session_summaries FK constraints
- Change message queue from claim-and-delete to claim-confirm pattern (PendingMessageStore.ts)
- Add spawn deduplication and unrecoverable error detection in SessionRoutes.ts and worker-service.ts
- Add forceInit flag to SDKAgent for stale session recovery
Build artifacts skipped (pre-existing dompurify dep issue). Path fixes (HealthMonitor.ts, worker-utils.ts)
already merged via PR #634.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Cherry-picked source changes from PR #721. Fixes two Cursor standalone
setup bugs:
1. findCursorHooksDir() now checks for hooks.json (unified CLI mode)
in addition to legacy common.sh/common.ps1 scripts
2. installCursorHooks() now uses bun instead of node for hook commands
since worker-service.cjs depends on bun:sqlite
3. Added findBunPath() to detect bun executable across platforms
Build artifacts skipped (pre-existing dompurify viewer dep issue).
Source-only cherry-pick, TypeScript compilation clean for modified file.
Co-Authored-By: polux0 <aleksaprosperitylabs@gmail.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Root cause: Claude Code doesn't close stdin after writing hook input,
so stdin.on('end') never fires.
Previous approach: Timeout-based workaround (wait 5s then parse).
New approach: JSON is self-delimiting. We attempt to parse after each
data chunk. Once we have valid JSON, we resolve immediately without
waiting for EOF. This is the proper fix - hooks now exit in <500ms
instead of waiting for any timeout.
Changes:
- Add tryParseJson() to detect complete JSON
- Parse after each stdin chunk, resolve immediately on success
- Add 50ms parse delay for multi-chunk delivery edge case
- Safety timeout (30s) only for truly malformed input
- Removes dependency on stdin.on('end') which never fires
Testing:
- Normal operation: 448ms (was 5000ms+ with timeout approach)
- Stdin stays open: Process exits immediately after JSON complete
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change from absolute timeout to inactivity timeout (reset on each data chunk)
to avoid truncating large/slow payloads
- Fix race condition: add resolved=true before resolving in catch block
- Fix unreliable readable check: just access the property, don't check value
- Add cleanup() call in catch block for consistency
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixes#727 (PostToolUse hooks hanging at "1/2 done")
Addresses #646 (Bun stdin EINVAL crash)
Root causes:
1. Bun crashes with EINVAL when Claude Code doesn't provide valid stdin fd
2. stdin.on('end') never fires if Claude Code doesn't close stdin properly
Changes:
- Add isStdinAvailable() to safely check stdin before reading
- Wrap stdin access in try-catch to handle Bun's lazy fstat crash
- Add 5-second timeout to prevent indefinite hangs
- Gracefully return undefined instead of crashing on stdin errors
- Properly clean up event listeners to prevent memory leaks
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds applyEnvOverrides() method to SettingsDefaultsManager ensuring
env vars take highest priority over file and default settings.
Configuration priority is now: env > file > defaults.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add MARKETPLACE_ROOT constant to paths.ts and update 5 source files to use
centralized path constants instead of hardcoded ~/.claude paths. Preserves
backwards compatibility when CLAUDE_CONFIG_DIR is not set.
Based on PR #634 by @Kuroakira, cherry-picked onto main due to build artifact
merge conflicts (source changes applied cleanly).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The Gemini API requires the -preview suffix for the Gemini 3 Flash model.
gemini-3-flash does not exist - only gemini-3-flash-preview is available.
This was causing 404 errors when users selected this model option.
Closes#831
Co-Authored-By: Glucksberg <markuscontasul@gmail.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When a user exits Claude Code before any assistant response is generated,
the summarize Stop hook would crash with:
"No message found for role 'assistant' in transcript"
This happened because extractLastMessage() threw an error when no message
of the requested role was found. The fix returns an empty string instead,
which the summarize handler already handles gracefully (it logs
hasLastAssistantMessage: false and continues).
This is consistent with the function's existing behavior - it already
returns '' in other edge cases (line 64).
Fixes sessions that exit early before assistant responds.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The parser's regex patterns used `[^<]*` and `[^<]+` which fail immediately
when content contains any `<` character (like nested tags or code snippets).
Example failure case:
```xml
<investigated>
<item>Checked parser.ts</item>
</investigated>
```
The `[^<]*` pattern stops at the first `<` of `<item>`, causing extractField()
to return null even though valid content exists.
## Changes
- `extractField()`: Changed from `[^<]*` to `[\s\S]*?` (non-greedy match any char)
- `extractArrayElements()`: Changed from `[^<]+` to `[\s\S]*?` for both array and element patterns
The `[\s\S]*?` pattern matches any character including newlines, non-greedily,
allowing nested XML tags to be captured correctly.
Fixes#798
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds automatic detection and handling of Zscaler enterprise security certificates
on macOS. Combines standard certifi CA certificates with Zscaler certificates into
a single bundle, passed via SSL_CERT_FILE/REQUESTS_CA_BUNDLE/CURL_CA_BUNDLE env vars
to the chroma-mcp subprocess. Certificate bundle is cached for 24 hours. Falls back
gracefully when Zscaler is not present, with no impact on non-Zscaler environments.
Co-Authored-By: RClark4958 <rickdclark48@gmail.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fixes#761
Root cause: When connection errors occur (MCP error -32000, Connection closed),
the code was resetting \`connected\` and \`client\` but NOT calling
\`transport.close()\`, leaving the chroma-mcp subprocess alive. Each
reconnection attempt spawned a NEW process while old ones accumulated.
Changes:
- Close transport before resetting state in ensureCollection() error handler
- Close transport before resetting state in queryChroma() error handler
- Set transport = null after closing to match close() method behavior
- Add regression tests for Issue #761 with source code verification
Tested on macOS - no more zombie processes after the fix.
ChromaSync.queryChroma() returns deduplicated sqlite_ids but the
metadatas array contains multiple entries per observation (narrative +
facts). The filterByRecency() method was iterating over metadatas and
using the index to access ids, causing array out-of-bounds access.
The fix builds a Map from sqlite_id to metadata, then iterates over
the deduplicated ids array to ensure proper alignment.
Symptoms before fix:
- Semantic search returning incorrect/empty results
- Search only working with near-exact queries
- Recent items (same day) not being found
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Gemini and OpenRouter are stateless APIs that never return session IDs.
Without synthetic IDs, PR #693's defensive memorySessionId checks throw
errors on every observation processing call for these providers.
Generates provider-prefixed IDs (gemini-/openrouter-{contentSessionId}-
{timestamp}) before the first API call, persisted to the database via
updateMemorySessionId(). Applied from PR #615 (closed due to staleness).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Applies PR #741 by @licutis onto main, resolving conflicts with
recently merged PRs #693, #937, and #627. Adds getActiveAgent() to
WorkerService so startup-recovery uses the correct provider instead
of hardcoding SDKAgent. Also cleans up sessions stuck 'active' for
6+ hours and their pending messages before processing orphaned queues.
Co-Authored-By: licutis <43884712+licutis@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When a generator exits with wasAborted=true, the AbortController remains in
aborted state but generatorPromise is set to null. When a new observation
arrives, ensureGeneratorRunning() sees generatorPromise=null and tries to
start a new generator, but the new generator immediately sees
signal.aborted=true and exits, causing an infinite "Generator aborted" loop.
This fix resets the AbortController if it's already aborted before starting
a new generator, allowing the session to recover from the stuck state.
Bug reproduction:
1. Session receives observations
2. Something causes the generator to be aborted
3. generatorPromise = null, but abortController.signal.aborted = true
4. New observation arrives → starts generator → immediately aborted → loop
Fix: Check if abortController.signal.aborted before starting generator,
and create a new AbortController if needed.
PostToolUse hook can create the session before UserPromptSubmit's
session-init sets the project, leaving it empty. Add an UPDATE after
INSERT OR IGNORE to backfill the project when a later hook provides it.
Closes#939
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add restart limit (max 3 consecutive restarts) with exponential backoff
to prevent infinite generator restart loops. Also add defensive
memorySessionId checks in GeminiAgent and OpenRouterAgent before
expensive LLM calls to fail fast when session ID hasn't been captured.
Based on PR #693 by @ajbmachon (applied to current main).
Co-Authored-By: Andre Machon <ajbmachon2@gmail.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
JSON.parse preserves native types, so boolean true/false stay as
booleans rather than strings. The previous check only handled string
'true', meaning users who set `"ENABLED": true` (boolean) wouldn't
have the feature work.
Now both `getBool()` helper and ResponseProcessor check handle:
- String 'true' → enabled
- Boolean true → enabled
- Any other value → disabled
Tested: Confirmed feature stays disabled with string "false" and
no new CLAUDE.md files are created when accessing directories.
The CLAUDE_MEM_FOLDER_CLAUDEMD_ENABLED setting was documented but never
actually checked in code. The folder CLAUDE.md generation ran
unconditionally whenever files were touched.
Changes:
- Add CLAUDE_MEM_FOLDER_CLAUDEMD_ENABLED to SettingsDefaults interface
- Add default value 'false' to DEFAULTS object
- Check setting in ResponseProcessor before calling updateFolderClaudeMdFiles
Fixes the issue identified in issue-600-documentation-audit-features-not-implemented.md:
"The setting CLAUDE_MEM_FOLDER_CLAUDEMD_ENABLED is never read."
Add exclusion list for directories where CLAUDE.md generation breaks
toolchains: res/ (Android aapt2), .git/, build/, node_modules/,
__pycache__/. Closes issue #912. Credit to @jayvenn21.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add hasConsecutiveDuplicateSegments() check to isValidPathForClaudeMd() to reject paths
like frontend/frontend/ or src/src/ that occur when cwd already includes the directory name.
3 new tests added (46 total for claude-md-utils). Fixes#814. Credit to @Glucksberg.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Prevents "file modified since read" errors when Claude Code is actively editing
a CLAUDE.md file by detecting CLAUDE.md paths in observation file lists and
skipping those folders during updates. Closes#859. Credit: @cheapsteak.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Image-only prompts have empty text content, causing session-init handler
to skip session creation entirely. Use '[media prompt]' placeholder so
sessions still get created and tracked in memory.
Closes PR #928 (applied directly due to merge conflicts with outdated base).
Credit: @iammike for identifying the issue.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fixes a race condition where the UserPromptSubmit hook could call
/api/sessions/init before the database is fully initialized, resulting
in a 500 error with "Database not initialized".
Root cause:
- Worker starts HTTP server immediately for fast startup
- Health endpoint (/api/health) returns OK when server is listening
- session-init hook waits for health check, then calls /api/sessions/init
- Database initialization happens in background, creating a race window
Solution:
- Add early handler for /api/sessions/init that waits for initialization
- Uses same pattern as existing /api/context/inject handler
- Returns 503 with retry message if initialization times out
The fix ensures hooks receive proper responses even during the brief
startup window when the server is listening but DB isn't ready yet.
Co-Authored-By: Claude Code <noreply@anthropic.com>
When a user submits an empty or whitespace-only prompt to Claude Code,
the UserPromptSubmit hook would throw "sessionInitHandler requires prompt"
and block the operation.
This change returns early with `{ continue: true }` instead of throwing,
allowing the session to continue gracefully.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The startup cleanupOrphanedProcesses() only targeted chroma-mcp, leaving
orphaned mcp-server.cjs and worker-service.cjs processes undetected after
daemon crashes. Expanded to target all claude-mem process types with
30-minute age filtering and current PID exclusion. Closes PR #687 (which
had a spawnDaemon regression removing Windows WMIC support).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Alex Newman