Ayuriel/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
openclaw/src/agents/usage-log.ts

180 lines
6.5 KiB
TypeScript
Raw Normal View History

fix(git-hooks,usage-log): fix two CI failures pre-commit: guard the resolve-node.sh source with a file-existence check so the hook works in test environments that stub only the files they care about (the integration test creates run-node-tool.sh but not resolve-node.sh; node is provided via a fake binary in PATH so the nvm fallback is never needed in that context). usage-log: replace Math.random() in makeId() with crypto.randomBytes() to satisfy the temp-path-guard security lint rule that rejects weak randomness in source files.
2026-03-13 14:57:25 +00:00
import { randomBytes } from "crypto";
feat(usage-log): record inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens The recordTokenUsage function previously only persisted the aggregate tokensUsed total, discarding the input/output breakdown that was already available via getUsageTotals(). This meant token-usage.json had no per-record IO split, making it impossible to analyse input vs output token costs in dashboards. Changes: - Add inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens optional fields to TokenUsageRecord type in usage-log.ts (new file) - Write these fields (when non-zero) into each usage entry - Fields are omitted (not null) when unavailable, keeping existing records valid - Wire up recordTokenUsage() call in attempt.ts after llm_output hook This is a purely additive change; existing consumers that only read tokensUsed are unaffected.
2026-03-13 06:35:38 +00:00
import fs from "fs/promises";
import path from "path";
refactor(usage-log): delegate cross-process lock to plugin-sdk/file-lock appendRecord wrote token-usage.json in place with a direct fs.writeFile call; a crash or SIGKILL during that write left truncated JSON. Because readJsonArray now throws on any non-ENOENT error (to prevent silent data loss) and recordTokenUsage callers swallow the error via .catch(), one corrupted write permanently disabled all future token logging until the file was manually repaired. The in-place-write bug was fixed in 8c162d0ba via a temp-file + atomic rename approach, but usage-log.ts still carried its own private withFileLock / isLockStale implementation. That inline lock had two known bugs that were fixed in plugin-sdk/file-lock.ts but never applied here: 1. isLockStale treated empty / unparseable lock content as 'not stale' — a process that crashes between open('wx') and writeFile(pid) leaves an empty .lock that appeared live forever, blocking all future writers until it was manually removed. 2. No inode identity check before unlink: two waiters observing the same stale lock could both call unlink; the slower one would delete the faster one's freshly-acquired lock, letting both enter fn() concurrently and race on the read-modify-write sequence. Fix: import withFileLock from infra/file-lock.ts (which re-exports the canonical plugin-sdk implementation) and remove the ~70-line inline lock. APPEND_LOCK_OPTIONS reproduces the previous timeout/retry budget (~100 × 50 ms ≈ 5 s) while gaining all fixes from plugin-sdk/file-lock. The lock payload format changed from a plain PID string to the JSON {pid, createdAt} envelope expected by the shared implementation; the stale-lock integration test is updated to match.
2026-03-15 07:36:31 +00:00
import { type FileLockOptions, withFileLock } from "../infra/file-lock.js";
feat(usage-log): record inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens The recordTokenUsage function previously only persisted the aggregate tokensUsed total, discarding the input/output breakdown that was already available via getUsageTotals(). This meant token-usage.json had no per-record IO split, making it impossible to analyse input vs output token costs in dashboards. Changes: - Add inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens optional fields to TokenUsageRecord type in usage-log.ts (new file) - Write these fields (when non-zero) into each usage entry - Fields are omitted (not null) when unavailable, keeping existing records valid - Wire up recordTokenUsage() call in attempt.ts after llm_output hook This is a purely additive change; existing consumers that only read tokensUsed are unaffected.
2026-03-13 06:35:38 +00:00
export type TokenUsageRecord = {
id: string;
label: string;
tokensUsed: number;
tokenLimit?: number;
inputTokens?: number;
outputTokens?: number;
cacheReadTokens?: number;
cacheWriteTokens?: number;
model?: string;
provider?: string;
runId?: string;
sessionId?: string;
sessionKey?: string;
createdAt: string;
};
function makeId() {
fix(git-hooks,usage-log): fix two CI failures pre-commit: guard the resolve-node.sh source with a file-existence check so the hook works in test environments that stub only the files they care about (the integration test creates run-node-tool.sh but not resolve-node.sh; node is provided via a fake binary in PATH so the nvm fallback is never needed in that context). usage-log: replace Math.random() in makeId() with crypto.randomBytes() to satisfy the temp-path-guard security lint rule that rejects weak randomness in source files.
2026-03-13 14:57:25 +00:00
return `usage_${Date.now().toString(36)}_${randomBytes(4).toString("hex")}`;
feat(usage-log): record inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens The recordTokenUsage function previously only persisted the aggregate tokensUsed total, discarding the input/output breakdown that was already available via getUsageTotals(). This meant token-usage.json had no per-record IO split, making it impossible to analyse input vs output token costs in dashboards. Changes: - Add inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens optional fields to TokenUsageRecord type in usage-log.ts (new file) - Write these fields (when non-zero) into each usage entry - Fields are omitted (not null) when unavailable, keeping existing records valid - Wire up recordTokenUsage() call in attempt.ts after llm_output hook This is a purely additive change; existing consumers that only read tokensUsed are unaffected.
2026-03-13 06:35:38 +00:00
}
async function readJsonArray(file: string): Promise<TokenUsageRecord[]> {
try {
const raw = await fs.readFile(file, "utf-8");
const parsed = JSON.parse(raw);
fix(usage-log): reject non-array token logs instead of resetting history readJsonArray treated any valid JSON that is not an array as [], causing appendRecord to overwrite the file with only the new entry — silently deleting all prior data. This is the same data-loss mode the malformed-JSON fix was trying to prevent. Fix: throw ERR_UNEXPECTED_TOKEN_LOG_SHAPE when parsed JSON is not an array so appendRecord aborts and the existing file is preserved.
2026-03-13 23:35:12 +00:00
if (!Array.isArray(parsed)) {
// Valid JSON but unexpected shape (object, number, string, …).
// Returning [] here would cause appendRecord to overwrite the file
// with only the new entry, silently deleting prior data.
throw Object.assign(
new Error(
`token-usage.json contains valid JSON but is not an array (got ${typeof parsed})`,
),
{ code: "ERR_UNEXPECTED_TOKEN_LOG_SHAPE" },
);
}
return parsed as TokenUsageRecord[];
fix(usage-log): propagate non-ENOENT read errors to prevent silent data loss readJsonArray previously caught all errors and returned [], so a malformed token-usage.json (e.g. from an interrupted writeFile) caused the next recordTokenUsage call to overwrite the file with only the new entry, permanently erasing all prior records. Fix: only suppress ENOENT (file not yet created). Any other error (SyntaxError, EACCES, …) is re-thrown so appendRecord aborts and the existing file is left intact. The write-queue slot still absorbs the rejection via .catch() so future writes are not stalled; callers that need to observe the failure (e.g. attempt.ts) can attach their own .catch() handler.
2026-03-13 14:25:13 +00:00
} catch (err) {
// File does not exist yet — start with an empty array.
if ((err as NodeJS.ErrnoException).code === "ENOENT") {
return [];
}
// Any other error (malformed JSON, permission denied, partial write, …)
// must propagate so appendRecord aborts and the existing file is not
// silently overwritten with only the new entry.
throw err;
feat(usage-log): record inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens The recordTokenUsage function previously only persisted the aggregate tokensUsed total, discarding the input/output breakdown that was already available via getUsageTotals(). This meant token-usage.json had no per-record IO split, making it impossible to analyse input vs output token costs in dashboards. Changes: - Add inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens optional fields to TokenUsageRecord type in usage-log.ts (new file) - Write these fields (when non-zero) into each usage entry - Fields are omitted (not null) when unavailable, keeping existing records valid - Wire up recordTokenUsage() call in attempt.ts after llm_output hook This is a purely additive change; existing consumers that only read tokensUsed are unaffected.
2026-03-13 06:35:38 +00:00
}
}
fix(usage-log): add cross-process file lock to prevent write races The in-memory writeQueues Map serialises writes within one Node process but two concurrent OpenClaw processes sharing the same workspaceDir (e.g. parallel CLI runs) can still race: both read the same snapshot before either writes, and the later writer silently overwrites the earlier entry. Add withFileLock() — an O_EXCL advisory lock on <file>.lock — to coordinate across processes. The per-file in-memory queue is kept to reduce lock contention within the same process. On lock-acquire failure the helper retries every 50 ms up to a 5 s timeout; on timeout it removes a potentially stale lock file and makes one final attempt to prevent permanent blocking after a crash.
2026-03-13 16:04:22 +00:00
// ---------------------------------------------------------------------------
// Cross-process file lock
//
// The in-memory writeQueues Map serialises writes within a single Node
refactor(usage-log): delegate cross-process lock to plugin-sdk/file-lock appendRecord wrote token-usage.json in place with a direct fs.writeFile call; a crash or SIGKILL during that write left truncated JSON. Because readJsonArray now throws on any non-ENOENT error (to prevent silent data loss) and recordTokenUsage callers swallow the error via .catch(), one corrupted write permanently disabled all future token logging until the file was manually repaired. The in-place-write bug was fixed in 8c162d0ba via a temp-file + atomic rename approach, but usage-log.ts still carried its own private withFileLock / isLockStale implementation. That inline lock had two known bugs that were fixed in plugin-sdk/file-lock.ts but never applied here: 1. isLockStale treated empty / unparseable lock content as 'not stale' — a process that crashes between open('wx') and writeFile(pid) leaves an empty .lock that appeared live forever, blocking all future writers until it was manually removed. 2. No inode identity check before unlink: two waiters observing the same stale lock could both call unlink; the slower one would delete the faster one's freshly-acquired lock, letting both enter fn() concurrently and race on the read-modify-write sequence. Fix: import withFileLock from infra/file-lock.ts (which re-exports the canonical plugin-sdk implementation) and remove the ~70-line inline lock. APPEND_LOCK_OPTIONS reproduces the previous timeout/retry budget (~100 × 50 ms ≈ 5 s) while gaining all fixes from plugin-sdk/file-lock. The lock payload format changed from a plain PID string to the JSON {pid, createdAt} envelope expected by the shared implementation; the stale-lock integration test is updated to match.
2026-03-15 07:36:31 +00:00
// process. Two concurrent OpenClaw processes targeting the same
// workspaceDir can still race, so we use an advisory O_EXCL lock provided
// by the shared withFileLock helper in plugin-sdk/file-lock.ts.
fix(usage-log): add cross-process file lock to prevent write races The in-memory writeQueues Map serialises writes within one Node process but two concurrent OpenClaw processes sharing the same workspaceDir (e.g. parallel CLI runs) can still race: both read the same snapshot before either writes, and the later writer silently overwrites the earlier entry. Add withFileLock() — an O_EXCL advisory lock on <file>.lock — to coordinate across processes. The per-file in-memory queue is kept to reduce lock contention within the same process. On lock-acquire failure the helper retries every 50 ms up to a 5 s timeout; on timeout it removes a potentially stale lock file and makes one final attempt to prevent permanent blocking after a crash.
2026-03-13 16:04:22 +00:00
//
refactor(usage-log): delegate cross-process lock to plugin-sdk/file-lock appendRecord wrote token-usage.json in place with a direct fs.writeFile call; a crash or SIGKILL during that write left truncated JSON. Because readJsonArray now throws on any non-ENOENT error (to prevent silent data loss) and recordTokenUsage callers swallow the error via .catch(), one corrupted write permanently disabled all future token logging until the file was manually repaired. The in-place-write bug was fixed in 8c162d0ba via a temp-file + atomic rename approach, but usage-log.ts still carried its own private withFileLock / isLockStale implementation. That inline lock had two known bugs that were fixed in plugin-sdk/file-lock.ts but never applied here: 1. isLockStale treated empty / unparseable lock content as 'not stale' — a process that crashes between open('wx') and writeFile(pid) leaves an empty .lock that appeared live forever, blocking all future writers until it was manually removed. 2. No inode identity check before unlink: two waiters observing the same stale lock could both call unlink; the slower one would delete the faster one's freshly-acquired lock, letting both enter fn() concurrently and race on the read-modify-write sequence. Fix: import withFileLock from infra/file-lock.ts (which re-exports the canonical plugin-sdk implementation) and remove the ~70-line inline lock. APPEND_LOCK_OPTIONS reproduces the previous timeout/retry budget (~100 × 50 ms ≈ 5 s) while gaining all fixes from plugin-sdk/file-lock. The lock payload format changed from a plain PID string to the JSON {pid, createdAt} envelope expected by the shared implementation; the stale-lock integration test is updated to match.
2026-03-15 07:36:31 +00:00
// That implementation:
// • stores {pid, createdAt} so waiters can detect a crashed holder
// • treats empty/unparseable lock content as stale (crash during open→write)
// • re-verifies the lock inode before removing it so a slow waiter's
// unlink cannot delete a fresh lock from another process
// • uses exponential backoff with jitter capped at stale ms
fix(usage-log): add cross-process file lock to prevent write races The in-memory writeQueues Map serialises writes within one Node process but two concurrent OpenClaw processes sharing the same workspaceDir (e.g. parallel CLI runs) can still race: both read the same snapshot before either writes, and the later writer silently overwrites the earlier entry. Add withFileLock() — an O_EXCL advisory lock on <file>.lock — to coordinate across processes. The per-file in-memory queue is kept to reduce lock contention within the same process. On lock-acquire failure the helper retries every 50 ms up to a 5 s timeout; on timeout it removes a potentially stale lock file and makes one final attempt to prevent permanent blocking after a crash.
2026-03-13 16:04:22 +00:00
// ---------------------------------------------------------------------------
refactor(usage-log): delegate cross-process lock to plugin-sdk/file-lock appendRecord wrote token-usage.json in place with a direct fs.writeFile call; a crash or SIGKILL during that write left truncated JSON. Because readJsonArray now throws on any non-ENOENT error (to prevent silent data loss) and recordTokenUsage callers swallow the error via .catch(), one corrupted write permanently disabled all future token logging until the file was manually repaired. The in-place-write bug was fixed in 8c162d0ba via a temp-file + atomic rename approach, but usage-log.ts still carried its own private withFileLock / isLockStale implementation. That inline lock had two known bugs that were fixed in plugin-sdk/file-lock.ts but never applied here: 1. isLockStale treated empty / unparseable lock content as 'not stale' — a process that crashes between open('wx') and writeFile(pid) leaves an empty .lock that appeared live forever, blocking all future writers until it was manually removed. 2. No inode identity check before unlink: two waiters observing the same stale lock could both call unlink; the slower one would delete the faster one's freshly-acquired lock, letting both enter fn() concurrently and race on the read-modify-write sequence. Fix: import withFileLock from infra/file-lock.ts (which re-exports the canonical plugin-sdk implementation) and remove the ~70-line inline lock. APPEND_LOCK_OPTIONS reproduces the previous timeout/retry budget (~100 × 50 ms ≈ 5 s) while gaining all fixes from plugin-sdk/file-lock. The lock payload format changed from a plain PID string to the JSON {pid, createdAt} envelope expected by the shared implementation; the stale-lock integration test is updated to match.
2026-03-15 07:36:31 +00:00
const APPEND_LOCK_OPTIONS: FileLockOptions = {
fix(usage-log): increase lock stale window to 30 s to prevent active-lock steals appendRecord rewrites the full token-usage.json on every write, so lock hold time grows with file size and disk speed. The previous stale: 5_000 was too tight: on large histories or slow disks a write can legitimately take longer than 5 s, allowing a concurrent waiter to treat the still- active lock as stale, reclaim it, and run an overlapping read-modify-write cycle that silently drops the earlier writer's entry. The risk is amplified by the attempt path where recordTokenUsage is fired without awaiting, so multiple concurrent runs can legitimately overlap. Fix: • Raise stale to 30_000 ms — gives ample headroom for large files on slow disks while still reclaiming crashed-process locks within 30 s. • Match the retry budget: 150 retries × 200 ms ≈ 30 s with jitter, so waiters exhaust retries only when the holder exceeds the stale window (i.e., is genuinely stuck or has crashed).
2026-03-16 03:07:47 +00:00
// appendRecord rewrites the full token-usage.json on every call, so hold
// time scales with file size and disk speed. 5 s was too tight: a slow
// write on a large history could exceed the stale window and allow a
// concurrent waiter to steal an active lock, causing overlapping
// read-modify-write cycles that silently drop entries.
//
// 30 s gives plenty of headroom for large files on slow disks while still
// reclaiming locks left by crashed processes within a reasonable window.
// The retry budget (~150 × 200 ms = 30 s) matches the stale window so
// waiters exhaust retries only if the holder holds longer than stale,
// i.e., is genuinely stuck or crashed.
refactor(usage-log): delegate cross-process lock to plugin-sdk/file-lock appendRecord wrote token-usage.json in place with a direct fs.writeFile call; a crash or SIGKILL during that write left truncated JSON. Because readJsonArray now throws on any non-ENOENT error (to prevent silent data loss) and recordTokenUsage callers swallow the error via .catch(), one corrupted write permanently disabled all future token logging until the file was manually repaired. The in-place-write bug was fixed in 8c162d0ba via a temp-file + atomic rename approach, but usage-log.ts still carried its own private withFileLock / isLockStale implementation. That inline lock had two known bugs that were fixed in plugin-sdk/file-lock.ts but never applied here: 1. isLockStale treated empty / unparseable lock content as 'not stale' — a process that crashes between open('wx') and writeFile(pid) leaves an empty .lock that appeared live forever, blocking all future writers until it was manually removed. 2. No inode identity check before unlink: two waiters observing the same stale lock could both call unlink; the slower one would delete the faster one's freshly-acquired lock, letting both enter fn() concurrently and race on the read-modify-write sequence. Fix: import withFileLock from infra/file-lock.ts (which re-exports the canonical plugin-sdk implementation) and remove the ~70-line inline lock. APPEND_LOCK_OPTIONS reproduces the previous timeout/retry budget (~100 × 50 ms ≈ 5 s) while gaining all fixes from plugin-sdk/file-lock. The lock payload format changed from a plain PID string to the JSON {pid, createdAt} envelope expected by the shared implementation; the stale-lock integration test is updated to match.
2026-03-15 07:36:31 +00:00
retries: {
fix(usage-log): increase lock stale window to 30 s to prevent active-lock steals appendRecord rewrites the full token-usage.json on every write, so lock hold time grows with file size and disk speed. The previous stale: 5_000 was too tight: on large histories or slow disks a write can legitimately take longer than 5 s, allowing a concurrent waiter to treat the still- active lock as stale, reclaim it, and run an overlapping read-modify-write cycle that silently drops the earlier writer's entry. The risk is amplified by the attempt path where recordTokenUsage is fired without awaiting, so multiple concurrent runs can legitimately overlap. Fix: • Raise stale to 30_000 ms — gives ample headroom for large files on slow disks while still reclaiming crashed-process locks within 30 s. • Match the retry budget: 150 retries × 200 ms ≈ 30 s with jitter, so waiters exhaust retries only when the holder exceeds the stale window (i.e., is genuinely stuck or has crashed).
2026-03-16 03:07:47 +00:00
retries: 150,
refactor(usage-log): delegate cross-process lock to plugin-sdk/file-lock appendRecord wrote token-usage.json in place with a direct fs.writeFile call; a crash or SIGKILL during that write left truncated JSON. Because readJsonArray now throws on any non-ENOENT error (to prevent silent data loss) and recordTokenUsage callers swallow the error via .catch(), one corrupted write permanently disabled all future token logging until the file was manually repaired. The in-place-write bug was fixed in 8c162d0ba via a temp-file + atomic rename approach, but usage-log.ts still carried its own private withFileLock / isLockStale implementation. That inline lock had two known bugs that were fixed in plugin-sdk/file-lock.ts but never applied here: 1. isLockStale treated empty / unparseable lock content as 'not stale' — a process that crashes between open('wx') and writeFile(pid) leaves an empty .lock that appeared live forever, blocking all future writers until it was manually removed. 2. No inode identity check before unlink: two waiters observing the same stale lock could both call unlink; the slower one would delete the faster one's freshly-acquired lock, letting both enter fn() concurrently and race on the read-modify-write sequence. Fix: import withFileLock from infra/file-lock.ts (which re-exports the canonical plugin-sdk implementation) and remove the ~70-line inline lock. APPEND_LOCK_OPTIONS reproduces the previous timeout/retry budget (~100 × 50 ms ≈ 5 s) while gaining all fixes from plugin-sdk/file-lock. The lock payload format changed from a plain PID string to the JSON {pid, createdAt} envelope expected by the shared implementation; the stale-lock integration test is updated to match.
2026-03-15 07:36:31 +00:00
factor: 1,
fix(usage-log): increase lock stale window to 30 s to prevent active-lock steals appendRecord rewrites the full token-usage.json on every write, so lock hold time grows with file size and disk speed. The previous stale: 5_000 was too tight: on large histories or slow disks a write can legitimately take longer than 5 s, allowing a concurrent waiter to treat the still- active lock as stale, reclaim it, and run an overlapping read-modify-write cycle that silently drops the earlier writer's entry. The risk is amplified by the attempt path where recordTokenUsage is fired without awaiting, so multiple concurrent runs can legitimately overlap. Fix: • Raise stale to 30_000 ms — gives ample headroom for large files on slow disks while still reclaiming crashed-process locks within 30 s. • Match the retry budget: 150 retries × 200 ms ≈ 30 s with jitter, so waiters exhaust retries only when the holder exceeds the stale window (i.e., is genuinely stuck or has crashed).
2026-03-16 03:07:47 +00:00
minTimeout: 200,
maxTimeout: 200,
randomize: true,
refactor(usage-log): delegate cross-process lock to plugin-sdk/file-lock appendRecord wrote token-usage.json in place with a direct fs.writeFile call; a crash or SIGKILL during that write left truncated JSON. Because readJsonArray now throws on any non-ENOENT error (to prevent silent data loss) and recordTokenUsage callers swallow the error via .catch(), one corrupted write permanently disabled all future token logging until the file was manually repaired. The in-place-write bug was fixed in 8c162d0ba via a temp-file + atomic rename approach, but usage-log.ts still carried its own private withFileLock / isLockStale implementation. That inline lock had two known bugs that were fixed in plugin-sdk/file-lock.ts but never applied here: 1. isLockStale treated empty / unparseable lock content as 'not stale' — a process that crashes between open('wx') and writeFile(pid) leaves an empty .lock that appeared live forever, blocking all future writers until it was manually removed. 2. No inode identity check before unlink: two waiters observing the same stale lock could both call unlink; the slower one would delete the faster one's freshly-acquired lock, letting both enter fn() concurrently and race on the read-modify-write sequence. Fix: import withFileLock from infra/file-lock.ts (which re-exports the canonical plugin-sdk implementation) and remove the ~70-line inline lock. APPEND_LOCK_OPTIONS reproduces the previous timeout/retry budget (~100 × 50 ms ≈ 5 s) while gaining all fixes from plugin-sdk/file-lock. The lock payload format changed from a plain PID string to the JSON {pid, createdAt} envelope expected by the shared implementation; the stale-lock integration test is updated to match.
2026-03-15 07:36:31 +00:00
},
fix(usage-log): increase lock stale window to 30 s to prevent active-lock steals appendRecord rewrites the full token-usage.json on every write, so lock hold time grows with file size and disk speed. The previous stale: 5_000 was too tight: on large histories or slow disks a write can legitimately take longer than 5 s, allowing a concurrent waiter to treat the still- active lock as stale, reclaim it, and run an overlapping read-modify-write cycle that silently drops the earlier writer's entry. The risk is amplified by the attempt path where recordTokenUsage is fired without awaiting, so multiple concurrent runs can legitimately overlap. Fix: • Raise stale to 30_000 ms — gives ample headroom for large files on slow disks while still reclaiming crashed-process locks within 30 s. • Match the retry budget: 150 retries × 200 ms ≈ 30 s with jitter, so waiters exhaust retries only when the holder exceeds the stale window (i.e., is genuinely stuck or has crashed).
2026-03-16 03:07:47 +00:00
stale: 30_000,
refactor(usage-log): delegate cross-process lock to plugin-sdk/file-lock appendRecord wrote token-usage.json in place with a direct fs.writeFile call; a crash or SIGKILL during that write left truncated JSON. Because readJsonArray now throws on any non-ENOENT error (to prevent silent data loss) and recordTokenUsage callers swallow the error via .catch(), one corrupted write permanently disabled all future token logging until the file was manually repaired. The in-place-write bug was fixed in 8c162d0ba via a temp-file + atomic rename approach, but usage-log.ts still carried its own private withFileLock / isLockStale implementation. That inline lock had two known bugs that were fixed in plugin-sdk/file-lock.ts but never applied here: 1. isLockStale treated empty / unparseable lock content as 'not stale' — a process that crashes between open('wx') and writeFile(pid) leaves an empty .lock that appeared live forever, blocking all future writers until it was manually removed. 2. No inode identity check before unlink: two waiters observing the same stale lock could both call unlink; the slower one would delete the faster one's freshly-acquired lock, letting both enter fn() concurrently and race on the read-modify-write sequence. Fix: import withFileLock from infra/file-lock.ts (which re-exports the canonical plugin-sdk implementation) and remove the ~70-line inline lock. APPEND_LOCK_OPTIONS reproduces the previous timeout/retry budget (~100 × 50 ms ≈ 5 s) while gaining all fixes from plugin-sdk/file-lock. The lock payload format changed from a plain PID string to the JSON {pid, createdAt} envelope expected by the shared implementation; the stale-lock integration test is updated to match.
2026-03-15 07:36:31 +00:00
};
fix(usage-log): add cross-process file lock to prevent write races The in-memory writeQueues Map serialises writes within one Node process but two concurrent OpenClaw processes sharing the same workspaceDir (e.g. parallel CLI runs) can still race: both read the same snapshot before either writes, and the later writer silently overwrites the earlier entry. Add withFileLock() — an O_EXCL advisory lock on <file>.lock — to coordinate across processes. The per-file in-memory queue is kept to reduce lock contention within the same process. On lock-acquire failure the helper retries every 50 ms up to a 5 s timeout; on timeout it removes a potentially stale lock file and makes one final attempt to prevent permanent blocking after a crash.
2026-03-13 16:04:22 +00:00
fix(usage-log): serialise concurrent writes with per-file promise queue Fire-and-forget callers (attempt.ts) can trigger two concurrent recordTokenUsage() calls for the same workspaceDir. The previous read-modify-write pattern had no locking, so the last writer silently overwrote the first, losing that run's entry. Fix: keep a Map<file, Promise<void>> write queue so each write awaits the previous one. The queue slot is replaced with a no-throw wrapper so a failed write does not stall future writes. Added a concurrent-write test (20 parallel calls) that asserts no record is lost.
2026-03-13 09:37:25 +00:00
async function appendRecord(file: string, entry: TokenUsageRecord): Promise<void> {
refactor(usage-log): delegate cross-process lock to plugin-sdk/file-lock appendRecord wrote token-usage.json in place with a direct fs.writeFile call; a crash or SIGKILL during that write left truncated JSON. Because readJsonArray now throws on any non-ENOENT error (to prevent silent data loss) and recordTokenUsage callers swallow the error via .catch(), one corrupted write permanently disabled all future token logging until the file was manually repaired. The in-place-write bug was fixed in 8c162d0ba via a temp-file + atomic rename approach, but usage-log.ts still carried its own private withFileLock / isLockStale implementation. That inline lock had two known bugs that were fixed in plugin-sdk/file-lock.ts but never applied here: 1. isLockStale treated empty / unparseable lock content as 'not stale' — a process that crashes between open('wx') and writeFile(pid) leaves an empty .lock that appeared live forever, blocking all future writers until it was manually removed. 2. No inode identity check before unlink: two waiters observing the same stale lock could both call unlink; the slower one would delete the faster one's freshly-acquired lock, letting both enter fn() concurrently and race on the read-modify-write sequence. Fix: import withFileLock from infra/file-lock.ts (which re-exports the canonical plugin-sdk implementation) and remove the ~70-line inline lock. APPEND_LOCK_OPTIONS reproduces the previous timeout/retry budget (~100 × 50 ms ≈ 5 s) while gaining all fixes from plugin-sdk/file-lock. The lock payload format changed from a plain PID string to the JSON {pid, createdAt} envelope expected by the shared implementation; the stale-lock integration test is updated to match.
2026-03-15 07:36:31 +00:00
await withFileLock(file, APPEND_LOCK_OPTIONS, async () => {
fix(usage-log): add cross-process file lock to prevent write races The in-memory writeQueues Map serialises writes within one Node process but two concurrent OpenClaw processes sharing the same workspaceDir (e.g. parallel CLI runs) can still race: both read the same snapshot before either writes, and the later writer silently overwrites the earlier entry. Add withFileLock() — an O_EXCL advisory lock on <file>.lock — to coordinate across processes. The per-file in-memory queue is kept to reduce lock contention within the same process. On lock-acquire failure the helper retries every 50 ms up to a 5 s timeout; on timeout it removes a potentially stale lock file and makes one final attempt to prevent permanent blocking after a crash.
2026-03-13 16:04:22 +00:00
const records = await readJsonArray(file);
records.push(entry);
fix(usage-log): write via temp file and atomic rename to prevent corruption appendRecord previously called fs.writeFile(token-usage.json, …) directly. A process crash or SIGKILL during that write can leave the file truncated; readJsonArray then throws (SyntaxError), and since attempt.ts swallows the error with .catch(), that one interrupted write silently disables all future token logging for the workspace until the file is manually repaired. Fix: write the new content to a uniquely-named sibling temp file first, then call fs.rename() to atomically replace the real file. rename(2) is atomic on POSIX when src and dst share the same directory/filesystem, so readers always see either the old complete file or the new complete file — never a partial write. The temp file is unlinked on error to avoid leaving orphans.
2026-03-14 18:41:39 +00:00
// Write to a sibling temp file then atomically rename into place so that
// a crash or kill during the write never leaves token-usage.json truncated.
// rename(2) is atomic on POSIX when src and dst are on the same filesystem,
// which is guaranteed here because both paths share the same directory.
const tmp = `${file}.tmp.${randomBytes(4).toString("hex")}`;
try {
await fs.writeFile(tmp, JSON.stringify(records, null, 2));
await fs.rename(tmp, file);
} catch (err) {
await fs.unlink(tmp).catch(() => {});
throw err;
}
fix(usage-log): add cross-process file lock to prevent write races The in-memory writeQueues Map serialises writes within one Node process but two concurrent OpenClaw processes sharing the same workspaceDir (e.g. parallel CLI runs) can still race: both read the same snapshot before either writes, and the later writer silently overwrites the earlier entry. Add withFileLock() — an O_EXCL advisory lock on <file>.lock — to coordinate across processes. The per-file in-memory queue is kept to reduce lock contention within the same process. On lock-acquire failure the helper retries every 50 ms up to a 5 s timeout; on timeout it removes a potentially stale lock file and makes one final attempt to prevent permanent blocking after a crash.
2026-03-13 16:04:22 +00:00
});
fix(usage-log): serialise concurrent writes with per-file promise queue Fire-and-forget callers (attempt.ts) can trigger two concurrent recordTokenUsage() calls for the same workspaceDir. The previous read-modify-write pattern had no locking, so the last writer silently overwrote the first, losing that run's entry. Fix: keep a Map<file, Promise<void>> write queue so each write awaits the previous one. The queue slot is replaced with a no-throw wrapper so a failed write does not stall future writes. Added a concurrent-write test (20 parallel calls) that asserts no record is lost.
2026-03-13 09:37:25 +00:00
}
fix(usage-log): add cross-process file lock to prevent write races The in-memory writeQueues Map serialises writes within one Node process but two concurrent OpenClaw processes sharing the same workspaceDir (e.g. parallel CLI runs) can still race: both read the same snapshot before either writes, and the later writer silently overwrites the earlier entry. Add withFileLock() — an O_EXCL advisory lock on <file>.lock — to coordinate across processes. The per-file in-memory queue is kept to reduce lock contention within the same process. On lock-acquire failure the helper retries every 50 ms up to a 5 s timeout; on timeout it removes a potentially stale lock file and makes one final attempt to prevent permanent blocking after a crash.
2026-03-13 16:04:22 +00:00
// Per-file write queue: serialises concurrent recordTokenUsage() calls within
// the same process so they do not all contend on the cross-process file lock.
fix(usage-log): serialise concurrent writes with per-file promise queue Fire-and-forget callers (attempt.ts) can trigger two concurrent recordTokenUsage() calls for the same workspaceDir. The previous read-modify-write pattern had no locking, so the last writer silently overwrote the first, losing that run's entry. Fix: keep a Map<file, Promise<void>> write queue so each write awaits the previous one. The queue slot is replaced with a no-throw wrapper so a failed write does not stall future writes. Added a concurrent-write test (20 parallel calls) that asserts no record is lost.
2026-03-13 09:37:25 +00:00
const writeQueues = new Map<string, Promise<void>>();
feat(usage-log): record inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens The recordTokenUsage function previously only persisted the aggregate tokensUsed total, discarding the input/output breakdown that was already available via getUsageTotals(). This meant token-usage.json had no per-record IO split, making it impossible to analyse input vs output token costs in dashboards. Changes: - Add inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens optional fields to TokenUsageRecord type in usage-log.ts (new file) - Write these fields (when non-zero) into each usage entry - Fields are omitted (not null) when unavailable, keeping existing records valid - Wire up recordTokenUsage() call in attempt.ts after llm_output hook This is a purely additive change; existing consumers that only read tokensUsed are unaffected.
2026-03-13 06:35:38 +00:00
export async function recordTokenUsage(params: {
workspaceDir: string;
runId?: string;
sessionId?: string;
sessionKey?: string;
provider?: string;
model?: string;
label: string;
usage?: {
input?: number;
output?: number;
cacheRead?: number;
cacheWrite?: number;
total?: number;
};
}) {
const usage = params.usage;
fix(usage-log): add curly braces to satisfy oxlint curly rule
2026-03-13 09:00:56 +00:00
if (!usage) {
return;
}
feat(usage-log): record inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens The recordTokenUsage function previously only persisted the aggregate tokensUsed total, discarding the input/output breakdown that was already available via getUsageTotals(). This meant token-usage.json had no per-record IO split, making it impossible to analyse input vs output token costs in dashboards. Changes: - Add inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens optional fields to TokenUsageRecord type in usage-log.ts (new file) - Write these fields (when non-zero) into each usage entry - Fields are omitted (not null) when unavailable, keeping existing records valid - Wire up recordTokenUsage() call in attempt.ts after llm_output hook This is a purely additive change; existing consumers that only read tokensUsed are unaffected.
2026-03-13 06:35:38 +00:00
const total =
usage.total ??
(usage.input ?? 0) + (usage.output ?? 0) + (usage.cacheRead ?? 0) + (usage.cacheWrite ?? 0);
fix(usage-log): add curly braces to satisfy oxlint curly rule
2026-03-13 09:00:56 +00:00
if (!total || total <= 0) {
return;
}
feat(usage-log): record inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens The recordTokenUsage function previously only persisted the aggregate tokensUsed total, discarding the input/output breakdown that was already available via getUsageTotals(). This meant token-usage.json had no per-record IO split, making it impossible to analyse input vs output token costs in dashboards. Changes: - Add inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens optional fields to TokenUsageRecord type in usage-log.ts (new file) - Write these fields (when non-zero) into each usage entry - Fields are omitted (not null) when unavailable, keeping existing records valid - Wire up recordTokenUsage() call in attempt.ts after llm_output hook This is a purely additive change; existing consumers that only read tokensUsed are unaffected.
2026-03-13 06:35:38 +00:00
const memoryDir = path.join(params.workspaceDir, "memory");
await fs.mkdir(memoryDir, { recursive: true });
fix(usage-log): canonicalize queue key to prevent concurrent writes via path aliases writeQueues was keyed by the raw workspaceDir-derived path before any realpath resolution. Two callers using different spellings of the same physical directory (a symlink and its target, or a relative vs absolute path) therefore produced separate queue entries and both entered appendRecord concurrently. Inside appendRecord, withFileLock calls resolveNormalizedFilePath which uses fs.realpath on the directory; both spellings resolve to the same normalised path. If one chain is already in fn() — its entry set in HELD_LOCKS — the second chain's acquireFileLock sees HELD_LOCKS hit for the same normalised path and re-entrantly joins it. Both callbacks then execute the read-modify-write cycle concurrently, and whichever writes last overwrites the first, silently dropping one entry per collision. Fix: call fs.realpath(memoryDir) immediately after fs.mkdir and use the canonical path as both the writeQueues key and the appendRecord file argument. A single canonical key means all in-process writers for the same physical file are serialised through one queue regardless of how the workspace path was spelled by the caller. Test: symlink tmpDir to a second name and interleave concurrent recordTokenUsage calls across both spellings. Asserts all N records survive — regression guard for the path-alias queue split.
2026-03-15 08:07:32 +00:00
// Canonicalize before keying writeQueues so that different path spellings
// for the same physical directory (e.g. a symlink vs its target) share a
// single in-process queue. Without this, two spellings produce separate
// queue entries and both call appendRecord concurrently; when
// withFileLock's HELD_LOCKS map then resolves both to the same normalised
// path the second caller re-entrantly joins the first — allowing concurrent
// read-modify-write cycles that silently drop entries.
const realMemoryDir = await fs.realpath(memoryDir).catch(() => memoryDir);
const file = path.join(realMemoryDir, "token-usage.json");
feat(usage-log): record inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens The recordTokenUsage function previously only persisted the aggregate tokensUsed total, discarding the input/output breakdown that was already available via getUsageTotals(). This meant token-usage.json had no per-record IO split, making it impossible to analyse input vs output token costs in dashboards. Changes: - Add inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens optional fields to TokenUsageRecord type in usage-log.ts (new file) - Write these fields (when non-zero) into each usage entry - Fields are omitted (not null) when unavailable, keeping existing records valid - Wire up recordTokenUsage() call in attempt.ts after llm_output hook This is a purely additive change; existing consumers that only read tokensUsed are unaffected.
2026-03-13 06:35:38 +00:00
const entry: TokenUsageRecord = {
id: makeId(),
label: params.label,
tokensUsed: Math.trunc(total),
fix(usage-log): add curly braces to satisfy oxlint curly rule
2026-03-13 09:00:56 +00:00
...(usage.input != null && usage.input > 0 && { inputTokens: Math.trunc(usage.input) }),
...(usage.output != null && usage.output > 0 && { outputTokens: Math.trunc(usage.output) }),
...(usage.cacheRead != null &&
usage.cacheRead > 0 && { cacheReadTokens: Math.trunc(usage.cacheRead) }),
...(usage.cacheWrite != null &&
usage.cacheWrite > 0 && { cacheWriteTokens: Math.trunc(usage.cacheWrite) }),
feat(usage-log): record inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens The recordTokenUsage function previously only persisted the aggregate tokensUsed total, discarding the input/output breakdown that was already available via getUsageTotals(). This meant token-usage.json had no per-record IO split, making it impossible to analyse input vs output token costs in dashboards. Changes: - Add inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens optional fields to TokenUsageRecord type in usage-log.ts (new file) - Write these fields (when non-zero) into each usage entry - Fields are omitted (not null) when unavailable, keeping existing records valid - Wire up recordTokenUsage() call in attempt.ts after llm_output hook This is a purely additive change; existing consumers that only read tokensUsed are unaffected.
2026-03-13 06:35:38 +00:00
model: params.model,
provider: params.provider,
runId: params.runId,
sessionId: params.sessionId,
sessionKey: params.sessionKey,
createdAt: new Date().toISOString(),
};
fix(usage-log): serialise concurrent writes with per-file promise queue Fire-and-forget callers (attempt.ts) can trigger two concurrent recordTokenUsage() calls for the same workspaceDir. The previous read-modify-write pattern had no locking, so the last writer silently overwrote the first, losing that run's entry. Fix: keep a Map<file, Promise<void>> write queue so each write awaits the previous one. The queue slot is replaced with a no-throw wrapper so a failed write does not stall future writes. Added a concurrent-write test (20 parallel calls) that asserts no record is lost.
2026-03-13 09:37:25 +00:00
const queued = writeQueues.get(file) ?? Promise.resolve();
const next = queued.then(() => appendRecord(file, entry));
writeQueues.set(
file,
next.catch(() => {}),
);
await next;
feat(usage-log): record inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens The recordTokenUsage function previously only persisted the aggregate tokensUsed total, discarding the input/output breakdown that was already available via getUsageTotals(). This meant token-usage.json had no per-record IO split, making it impossible to analyse input vs output token costs in dashboards. Changes: - Add inputTokens, outputTokens, cacheReadTokens, cacheWriteTokens optional fields to TokenUsageRecord type in usage-log.ts (new file) - Write these fields (when non-zero) into each usage entry - Fields are omitted (not null) when unavailable, keeping existing records valid - Wire up recordTokenUsage() call in attempt.ts after llm_output hook This is a purely additive change; existing consumers that only read tokensUsed are unaffected.
2026-03-13 06:35:38 +00:00
}
Reference in New Issue Copy Permalink