feat: fold upstream T1+T2 fixes back into fork (12 commits)

[crypticpy]

Summary

PR 1 of 3 in the upstream fold-back series. Picks up all Tier 1 (5 free pickup commits) and Tier 2 (high-value bug fixes) from chorus-codes/chorus upstream, adapted to fork conventions and preserving fork-specific behavior (audit-phase reviewer shape, fork's standardPhaseRoundsExhausted promotion, fork's per-vendor agent shims).

All commits authored as fork-native edits with Co-Authored-By: Claude Opus 4.7 attribution. Skips Windows-specific hunks (out of scope for fork) and contributor stack (deferred to PR 3).

Commits

Tier 1 — free pickup (5)

• 9fd258a feat(cli): add chorus diagnose command + crash-hook
• 33e7d57 feat(cli): add chorus quickstart self-test command
• d8a4ef4 fix(cli): dynamic import for open package (Node 22 ERR_REQUIRE_ESM)
• 0d68fe3 feat(cockpit): seed empty round-1 so QUEUED renders from t=0
• f595102 feat(daemon): runtime fallback-collision dedup across reviewer slots

Tier 2 — bug fixes (7)

• f96a4f9 fix(daemon): write REVIEWER FAILED summary on pre-spawn failure
• 357dc0d feat(voices): auto-disable on persistent quota_exhausted + lsof timeout
• 865de94 fix(daemon, schema): codex isolation + template-schema validation
• 15013f0 fix(runner): honour iterate.onDisagreement accept-doer/escalate
• 4dd03ee test(cli-precheck): cover macOS Keychain fallback for Claude Code v2
• e403e39 fix(cockpit): derive candidatesWithModels from snapshot's candidates field
• 5f770d8 feat(diagnose): capture failure context — CLI smoke, voice health, recent failed chats

Fork-specific adaptations

• Runner: decidePhaseOutcome pure helper (6-case matrix: 3 policies × 2 disagreement-gate states). Fork's standardPhaseRoundsExhausted promotion preserved alongside new escalated_on_disagreement branch.
• Cockpit candidatesWithModels: runtime narrowing skips audit-phase single-voice reviewers (fork's audit phase has a different reviewer shape than upstream).
• Diagnose: privacy-preserving — only errorMessageBytes exposed for recent failed chats; $HOME redacted via redactHomePaths; hard 2s SIGKILL timeout for CLI smoke (wrappers may trap SIGTERM); timedOut distinct from non-zero exit.
• Schema: new idx_voices_enabled index for WHERE enabled = 0 voice-health scan.

Test plan

• pnpm typecheck clean
• pnpm test — 821 tests passing (62 files)
• Each commit cherry-picked and built incrementally; no commit left the tree in a broken state
• Smoke chorus diagnose on a real ~/.chorus after merge
• Smoke chorus quickstart on a clean machine

🤖 Generated with Claude Code

Summary by Sourcery

Integrate upstream CLI, daemon, cockpit, and schema improvements into the fork, adding diagnostic and quickstart workflows while tightening reviewer orchestration, voice health handling, and template/CLI robustness.

New Features:

• Add a chorus diagnose command that prints a redacted diagnostic bundle for bug reports, including daemon state, DB health, logs, crash previews, CLI detection, voice health, and recent failed chats.
• Add a chorus quickstart command that fires a short self-test review against the first detected CLI and streams the result, seeding a private quickstart template on demand.
• Introduce a crash hook for the CLI entrypoint to capture uncaught errors into ~/.chorus/crashes and guide users to file issues or run diagnostics.
• Add per-voice failure tracking that can auto-disable voices on repeated quota_exhausted failures without a reset window, and surface auto-disabled voices in diagnostics.
• Add a runtime fallback-collision registry so reviewer slots avoid running the same fallback (lineage, model) in parallel, preserving lineage diversity and reducing wasted cost.

Bug Fixes:

• Ensure reviewer precheck failures write a REVIEWER FAILED summary on disk so cockpit cards exit the queued state with a visible error.
• Correct iterate onDisagreement handling so accept-doer and escalate policies are honoured distinctly from the legacy continue path, including terminal chat verdicts.
• Prevent false auth_missing failures for Claude Code v2+ on macOS by falling back to a Keychain probe when no credential file is present.
• Avoid ESM runtime errors for the open package by using a dynamic import when launching the browser from the CLI.
• Harden port and process utilities with bounded-time ss/lsof invocations and more robust PID/cmdline inspection to avoid hangs and misclassification.

Enhancements:

• Enrich template snapshots loaded from the DB by deriving candidatesWithModels from reviewer candidates so cockpit run cards always know which model to display, while preserving existing data when already present.
• Tighten template validation by rejecting reviewer configurations where require exceeds the number of candidates or distinct lineages when crossLineage=true, turning opaque run-time failures into clear schema errors.
• Refine cockpit round enrichment to seed an initial empty round-1 and synthesise queued reviewer placeholders from t=0 so cards render deterministically even before any reviewer directories exist.
• Factor codex headless invocation into a pure argv builder that always skips user config and git-repo checks, ensuring stable, sandboxed codex exec behaviour in reviewer/doer runs.
• Extend voice schema and indexing (including an enabled index) to support new auto-disable reasons and faster health scans used by diagnostics.
• Improve CLI browser-opening paths to use a shared helper with proper error handling and timeouts, and adjust Windows ESM imports in the launcher to be URL-safe.
• Load the file watcher library lazily in the daemon output watcher to reduce upfront dependencies and keep timeouts explicit.

Documentation:

• Document the new chorus diagnose command and crash log location in the README, including guidance for filing bug reports with diagnostic output.

Tests:

• Add extensive unit and integration-style tests for diagnostics, quickstart template generation, voice failure tracking, reviewer pre-spawn failures, fallback collision handling, codex headless args, port utilities, template parsing/validation, and cockpit round enrichment to cover the new behaviours and regressions.

[greptile-apps]

crypticpy has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.

[sourcery-ai]

Reviewer's Guide

Backports multiple upstream Tier 1/2 CLI, daemon, cockpit, and schema fixes into the fork, adding a new chorus diagnose command and crash hook, chorus quickstart self-test, improved reviewer/disagreement semantics, voice auto-disable on persistent quota_exhausted, codex headless hardening, macOS keychain auth fallback, richer template/cockpit schema handling, port/CLI robustness, and extensive regression tests — all while preserving fork-specific behaviors.

Sequence diagram for voice auto-disable on persistent quota_exhausted

sequenceDiagram
  participant Runner as runReviewer
  participant Tracker as recordVoiceFailure
  participant Voices as voices
  participant Settings as settings
  participant TrackerOK as recordVoiceSuccess

  Runner->>Runner: reviewer throws err.kind="quota_exhausted"
  Runner->>Tracker: recordVoiceFailure(lineage, model, hasResetAt)
  Tracker->>Voices: list({ lineage })
  Voices-->>Tracker: [voiceRow]
  alt hasResetAt is true
    Tracker-->>Runner: { disabled:false, voiceId }
  else hasResetAt is false
    Tracker->>Settings: get("voice_failures.{voiceId}")
    Settings-->>Tracker: previousCount
    Tracker->>Settings: set("voice_failures.{voiceId}", previousCount+1)
    alt failures >= AUTO_DISABLE_THRESHOLD
      Tracker->>Voices: update(voiceId,{ enabled:false, disabled_reason: auto_quota })
      Tracker->>Settings: set("voice_failures.{voiceId}", 0)
      Tracker-->>Runner: { disabled:true, voiceId }
      Runner->>Runner: onEvent(cli_warning, reason=voice_auto_disabled)
    else
      Tracker-->>Runner: { disabled:false, voiceId }
    end
  end

  %% On successful run
  Runner->>TrackerOK: recordVoiceSuccess(lineage, model)
  TrackerOK->>Voices: list({ lineage })
  Voices-->>TrackerOK: [voiceRow]
  TrackerOK->>Settings: get("voice_failures.{voiceId}")
  Settings-->>TrackerOK: count
  alt count > 0
    TrackerOK->>Settings: set("voice_failures.{voiceId}", 0)
  end

Loading

File-Level Changes

Change	Details	Files
Improve reviewer lifecycle, fallback behavior, and disagreement handling while preserving fork-specific runner semantics.	Create reviewer directories before precheck and write ## REVIEWER FAILED summaries for all pre-spawn failure paths so cockpit can surface errors instead of leaving cards queued forever. Introduce a per-chat/round fallback registry and use it in reviewer fallback chains to prevent multiple slots from concurrently running the same (lineage, model) fallback target, emitting fallback_collision warnings when collisions are avoided. Add per-voice quota tracking so repeated quota_exhausted errors without reset windows increment counters, auto-disable affected voices with auto_quota reason, and clear counters on successful runs. Track per-round disagreement state and add a pure decidePhaseOutcome helper to correctly honor iterate.onDisagreement policies (continue, accept-doer, escalate) while preserving existing standardPhaseRoundsExhausted handling and fork-specific chat_done behavior.	src/daemon/runner/reviewer-driver.ts src/daemon/runner.ts src/daemon/runner/template-fallback.ts src/daemon/runner/fallback-registry.ts src/lib/voice-failure-tracker.ts tests/voice-failure-tracker.test.ts tests/reviewer-driver-pre-spawn-failure.test.ts tests/iterate-on-disagreement.test.ts
Add chorus diagnose diagnostic command and global crash-hook for better bug reports and crash visibility.	Implement chorus diagnose command that gathers a redact-home diagnostic snapshot (versions, install mode, daemon state, DB counts, voice health, recent failed chats, CLI detection + --version smokes, crash previews, log tails) and prints it as a fenced markdown bundle. Add helpers to safely resolve bin paths through symlinks, detect install mode, redact $HOME from free-form strings, filter benign Next.js SSE disconnect noise from web logs, and summarise recent failed chats using on-disk _attempts.jsonl without leaking raw error messages. Introduce a minimal, dependency-free crash hook (and a matching inline twin in bin/chorus.mjs) that writes structured crash logs to ~/.chorus/crashes on uncaught exceptions/unhandled rejections and nudges users toward GitHub issues or chorus diagnose. Wire the diagnose command into the CLI entrypoint and README, and add unit tests for all helper functions and formatting paths.	src/cli/commands/diagnose.ts src/cli/crash-hook.ts bin/chorus.mjs src/cli/index.ts src/lib/db/connection.ts src/lib/db/schema.sql README.md tests/diagnose.test.ts tests/crash-hook.test.ts
Introduce chorus quickstart self-test command to fire a minimal review-only chat against the first detected CLI and surface its result inline.	Implement chorus quickstart command that detects available CLIs, maps the first one to a template reviewer lineage, upserts a private quickstart-self-test review-only template, posts a chat with a hardcoded off-by-one sample artifact, polls its status with SIGINT cancellation, and displays reviewer output or failure summaries inline. Add a small YAML builder that generates a schema-valid review-only template matching the live TemplateSchema, with crossLineage=false and require=1 so it works for single-CLI users, and ship disabled. Resolve cockpit URLs robustly via daemon.json instead of string substitution, and add tests covering the YAML builder, sample artifact, and mapping to the active schema.	src/cli/commands/quickstart.ts src/cli/index.ts tests/quickstart.test.ts
Harden CLI browser-opening and TCP port-inspection behavior for reliability across Node/OS combinations.	Replace direct open usage in CLI with a new openBrowser helper that dynamically imports the ESM-only open package to avoid ERR_REQUIRE_ESM under CJS builds, and await/catch failures when opening the cockpit URL (including from chorus start and status/auto-open paths). Enhance port-utils to set timeouts on ss/lsof subprocesses (with and without sudo), standardize on double-quoted strings, and ensure process-kill helpers use explicit signals and safer process lookup, adding tests to assert the timeout behavior.	src/cli/open-browser.ts src/cli/commands/start.ts src/cli/index.ts src/cli/port-utils.ts tests/port-utils.test.ts
Improve cockpit template/candidate handling and round enrichment so reviewer cards and models render correctly from t=0.	Extend fromRow to validate template_snapshot with TemplateSchema.safeParse and, on success, derive or preserve candidatesWithModels from each reviewer’s candidates while leaving single-voice audit-phase reviewers untouched, so cockpit code can iterate reviewer slots and show model names even when snapshots only carry daemon-side shapes. Add tests ensuring malformed/structurally-invalid/non-object snapshots fall back gracefully, and that both derived and pre-populated candidatesWithModels behave idempotently. Update enrichRounds to seed an empty round-1 when no rounds exist yet so the run page immediately renders QUEUED placeholder cards for all expected reviewer slots instead of cards appearing only as dirs are created, and add tests for the placeholder behavior and model propagation.	src/lib/api/chats.ts tests/api-chats-from-row.test.ts src/components/live-run-real/enrich-rounds.ts tests/enrich-rounds.test.ts
Tighten template schema validation and review configuration to catch misconfigured reviewer pools early.	Enhance ReviewerSchema with superRefine rules that reject require values exceeding candidates.length and, when crossLineage=true, exceeding the number of distinct lineages, surfacing clear schema errors at template-save time instead of opaque run-time failures. Add tests covering invalid require/candidates combinations and valid edge cases (e.g. require=N with N distinct lineages and crossLineage=true, and the non-cross-lineage cases).	src/lib/template-schema.ts tests/template-schema.test.ts
Harden codex integration for headless runs by centralizing argv construction and ignoring user config that can hang review jobs.	Refactor codex headless execution to a pure buildHeadlessArgs helper that always includes --skip-git-repo-check and --ignore-user-config, encodes sandbox/network/model flags, and tells codex exec to read the prompt from stdin. Update codexShim.runHeadless to use the new helper while preserving accountId/model validation, workspace pre-trust, and spawn options; add tests to lock the expected argv shape and the presence of --ignore-user-config. Normalize string quoting in codex.ts to consistent double quotes.	src/daemon/agents/codex.ts tests/codex-headless-args.test.ts
Extend CLI precheck behavior with macOS Keychain support for Claude Code v2 credentials and improve the associated tests.	Mock node:child_process.execFileSync in cli-precheck tests to simulate macOS Keychain behavior, and expand test coverage to ensure quota gating, cred file detection, per-lineage CTAs, and the new anthropic-on-darwin keychain fallback behave as intended. Ensure that when cred files exist, keychain is skipped; when running on non-anthropic lineages, keychain is not consulted; and that tests correctly reset HOME, DB, and mocks between runs.	tests/cli-precheck.test.ts
Add and wire voice-health metadata to support diagnose and auto-disable surfaces.	Extend VoiceRowSchema.disabled_reason to accept a new auto_quota value and document semantics for user, auto_missing, and auto_quota in code comments. Add indexes on voices.enabled (both in SQL and initDb) to speed up disabled-voice scans used by chorus diagnose, and expose voice-health summary (total voices, auto-disabled-by-quota/missing, user-disabled count) via the diagnose snapshot and report formatting.	src/lib/db/voices.ts src/lib/db/connection.ts src/lib/db/schema.sql src/cli/commands/diagnose.ts tests/diagnose.test.ts
Misc daemon and CLI robustness improvements and test coverage expansions.	Convert the output watcher’s waitForAnswer to dynamically import chokidar to avoid bundling issues and better align with async usage. Normalize string quoting/style across several modules for consistency, and add small correctness tweaks such as using pathToFileURL when dynamically importing dist/src entrypoints from the bin script to avoid Windows ESM URL scheme issues. Add or expand tests around template snapshot parsing, daemon chat-from-row behavior, and other touched areas to ensure no regressions from the upstream fold-in.	src/daemon/output-watcher.ts bin/chorus.mjs tests/api-chats-from-row.test.ts tests/enrich-rounds.test.ts tests/iterate-on-disagreement.test.ts

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8ba5d7a2-c07c-408c-8821-70c31c170afa

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Hey - I've found 1 security issue, 3 other issues, and left some high level feedback:

Security issues:

• Detected calls to child_process from a function argument bin. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. (link)

General comments:

• The new fallback registry (fallback-registry.ts) is only used for per-attempt claims; I don’t see any call to resetRound() in the runner, so it’d be good to either wire resetRound(chatId, round) into the end-of-round/phase path or document why cross-round stickiness is intentional to avoid subtle over‑deduplication or state leaks across rounds.
• Crash handling logic now exists both in bin/chorus.mjs and src/cli/crash-hook.ts with slightly different responsibilities; consider centralizing shared pieces (e.g. log format, field set) or adding a small shared helper to keep them from drifting over time.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The new fallback registry (`fallback-registry.ts`) is only used for per-attempt claims; I don’t see any call to `resetRound()` in the runner, so it’d be good to either wire `resetRound(chatId, round)` into the end-of-round/phase path or document why cross-round stickiness is intentional to avoid subtle over‑deduplication or state leaks across rounds.
- Crash handling logic now exists both in `bin/chorus.mjs` and `src/cli/crash-hook.ts` with slightly different responsibilities; consider centralizing shared pieces (e.g. log format, field set) or adding a small shared helper to keep them from drifting over time.

## Individual Comments

### Comment 1
<location path="src/daemon/runner/reviewer-driver.ts" line_range="434-438" />
<code_context>
+            // return null so runWithChainFallback advances to the next chain
+            // entry; emit a cli_warning tagged `fallback_collision` so the
+            // cockpit can show why the slot skipped.
+            const claimed = tryClaimFallbackTarget(
               chatId,
-              phase,
               round,
-              reviewerIdx,
-              candidateLineage: entry.lineage,
-              candidateModel: entry.model,
-              agentName,
-              askContent: ask,
-              answerFile,
-              reviewerDir,
-              repoPath,
-              abortSignal: handle.signal,
-              onEvent,
-            });
+              entry.lineage,
+              entry.model,
+            );
+            if (!claimed) {
</code_context>
<issue_to_address>
**issue (bug_risk):** Avoid releasing a fallback claim that wasn’t acquired.

Because `releaseFallbackClaim(chatId, round, entry.lineage, entry.model)` is always called in `finally`, it runs even when `tryClaimFallbackTarget` returns `false`. That allows a slot that never held the claim to release it, potentially clearing another slot’s valid claim and causing two reviewers to collide on the same fallback. Please call `releaseFallbackClaim` only when `claimed` is true (e.g., `if (claimed) releaseFallbackClaim(...)`).
</issue_to_address>

### Comment 2
<location path="src/cli/commands/diagnose.ts" line_range="163" />
<code_context>
+ * earn their entry by being explicitly added — we don't want to hide
+ * an actual bug because its message vaguely matches a regex.
+ */
+function filterBenignNoise(text: string): {
+  kept: string;
+  filteredCount: number;
</code_context>
<issue_to_address>
**issue (complexity):** Consider extracting shared helpers (log-noise filtering, CLI smoking, path utilities, and DB/daemon sections) into dedicated functions/modules so the diagnose command stays focused and easier to follow.

The new command is functionally rich but quite dense; a few small extractions would reduce complexity without changing behavior.

### 1. Simplify `filterBenignNoise` to a line/block‑level filter

The current brace‑depth + orphan‑tail logic is quite intricate for a very specific pattern. You can treat the Next.js SSE trace as a block starting from a header and ending at the first blank line (or a fixed number of lines), which is easier to reason about and extend.

For example:

```ts
// lib/diagnostics/log-noise.ts
const NEXT_PIPE_HEADER = "Error: failed to pipe response";
const NEXT_BLOCK_MAX_LINES = 20;

export function filterBenignNoise(text: string): { kept: string; filteredCount: number } {
  if (!text || text.startsWith("(")) return { kept: text, filteredCount: 0 };

  const lines = text.split("\n");
  const kept: string[] = [];
  let filteredCount = 0;

  for (let i = 0; i < lines.length; i++) {
    const line = lines[i];
    if (line.includes(NEXT_PIPE_HEADER)) {
      filteredCount++;
      let skipped = 0;
      // Drop the header + following lines until blank or cap
      while (i + 1 < lines.length && skipped < NEXT_BLOCK_MAX_LINES) {
        const next = lines[i + 1];
        if (!next.trim()) {
          i++; // consume blank line and stop
          break;
        }
        i++;
        skipped++;
      }
      continue;
    }
    kept.push(line);
  }

  return { kept: kept.join("\n"), filteredCount };
}
```

Then the command module only wires it:

```ts
import { filterBenignNoise } from "../../lib/diagnostics/log-noise.js";

// ...
webTail: (() => {
  const raw = tailFile(path.join(chorusDir, "logs", "web.log"), 300);
  const { kept, filteredCount } = filterBenignNoise(raw);
  const trimmed = kept.split("\n").slice(-20).join("\n").trim();
  return filteredCount > 0
    ? `${trimmed}\n  (${filteredCount} benign SSE-disconnect trace${filteredCount === 1 ? "" : "s"} filtered)`
    : trimmed;
})(),
```

This keeps the “hide SSE noise” behavior while making the implementation much simpler.

### 2. Extract CLI smoking into a reusable helper

`smokeOneCli` is fairly sophisticated (timeouts, stdout/stderr capture, redaction, signals). Pulling it into a small reusable helper keeps this command thin and makes the behavior shareable across diagnostics.

```ts
// lib/cli/smoke.ts
import { spawn } from "child_process";
import { redactHomePaths } from "../path-utils.js";

export interface SmokeResult {
  ok: boolean;
  exitCode?: number;
  version?: string;
  stderrFirstLine?: string;
  timedOut?: boolean;
}

export function smokeOneCli(bin: string): Promise<SmokeResult> {
  // (move the existing implementation here unchanged)
}
```

In `diagnose.ts`:

```ts
import { smokeOneCli, type SmokeResult } from "../../lib/cli/smoke.js";

// ...
const smokes: Array<SmokeResult | undefined> = await Promise.all(
  found.map((d) => (d.found && d.path ? smokeOneCli(d.path) : Promise.resolve(undefined))),
);
```

This immediately shortens the command file and isolates process‑spawning concerns.

### 3. Centralize path helpers

`abbreviateHome`, `redactHomePaths`, and `resolveBinPath` are generic utilities and can live in a small shared module:

```ts
// lib/path-utils.ts
import os from "os";
import fs from "fs";

export function abbreviateHome(p: string): string {
  const home = os.homedir();
  return p.startsWith(home) ? "~" + p.slice(home.length) : p;
}

export function redactHomePaths(s: string): string {
  const home = os.homedir();
  if (!home) return s;
  const escaped = home.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
  return s.replace(new RegExp(escaped, "g"), "~");
}

export function resolveBinPath(rawBinPath: string): string {
  try {
    return fs.realpathSync(rawBinPath);
  } catch {
    return rawBinPath;
  }
}
```

Then in `diagnose.ts`:

```ts
import { abbreviateHome, redactHomePaths, resolveBinPath } from "../../lib/path-utils.js";
```

This reduces the “utility noise” in the command and makes these helpers available to other commands.

### 4. Optionally split `gather()` by concern

Even without creating separate files immediately, you can reduce `gather()`’s cognitive load by factoring the major sections into small helpers (which can later be moved to `lib/diagnostics/*`):

```ts
async function getDbCounts(): Promise<{ chats: number | string; voices: number | string }> {
  try {
    const { getDb } = await import("../../lib/db/connection.js");
    const db = await getDb();
    const cr = await db.execute("SELECT COUNT(*) AS n FROM chats");
    const vr = await db.execute("SELECT COUNT(*) AS n FROM voices");
    return {
      chats: Number((cr.rows[0] as any).n),
      voices: Number((vr.rows[0] as any).n),
    };
  } catch (err) {
    return {
      chats: `(error: ${err instanceof Error ? err.message.slice(0, 80) : "unknown"})`,
      voices: "(unavailable)",
    };
  }
}

// inside gather():
const { chats, voices } = await getDbCounts();
// ...
db: { chats, voices },
```

Similar extractions for “daemon state”, “voice health”, and “recent failed chats” would turn `gather()` into a high‑level orchestrator rather than a long, mixed‑concern function.
</issue_to_address>

### Comment 3
<location path="bin/chorus.mjs" line_range="21" />
<code_context>
+import { fileURLToPath, pathToFileURL } from "node:url";
+import { dirname, join, resolve } from "node:path";
+
+// Crash hook — installed BEFORE any other import so it captures early
+// startup failures. The src/cli/crash-hook.ts version is the testable
+// canonical source; this is its zero-dependency twin, kept inline so it
</code_context>
<issue_to_address>
**issue (complexity):** Consider extracting the shared crash-log formatting into a small reusable module so both the TS crash hook and the bin script can use it instead of duplicating logic.

The duplicated crash‑handling logic in `bin/chorus.mjs` does increase complexity and maintenance risk. You can keep the “early install, zero deps” behavior without hand‑maintaining a second implementation by extracting a tiny shared formatter module and reusing it from both places.

One concrete way to do this:

1. **Extract a pure formatter from the TS side**

Create a small, dependency‑free module that only knows how to turn an error + context into `{ body, headline }`. It should not do any IO, so it’s safe to call from both the bin stub and the existing TS crash hook.

```ts
// src/cli/crash-log-core.ts
export interface CrashContext {
  err: unknown;
  source: string;
  version: string;
  node: string;
  platform: string;
  argv: string;
  cwd: string;
  uptimeMs: number;
}

export function buildCrashLog(ctx: CrashContext): {
  body: string;
  headline: string;
} {
  const stack =
    ctx.err instanceof Error
      ? `${ctx.err.name}: ${ctx.err.message}\n${ctx.err.stack ?? "(no stack)"}`
      : String(ctx.err);

  const body = [
    "# Chorus crash report",
    "",
    `timestamp:    ${new Date().toISOString()}`,
    `source:       ${ctx.source}`,
    `chorus:       ${ctx.version}`,
    `node:         ${ctx.node}`,
    `platform:     ${ctx.platform}`,
    `argv:         ${ctx.argv}`,
    `cwd:          ${ctx.cwd}`,
    `uptime_ms:    ${ctx.uptimeMs}`,
    "",
    "## Error",
    "",
    stack,
    "",
  ].join("\n");

  const headline =
    ctx.err instanceof Error
      ? `${ctx.err.name}: ${ctx.err.message}`
      : String(ctx.err);

  return { body, headline };
}
```

Ensure this is compiled as a tiny JS helper (e.g. `dist/cli/crash-log-core.js`) as part of your normal build.

2. **Use the shared formatter in the existing TS crash hook**

Refactor `src/cli/crash-hook.ts` to call the formatter and only own the wiring + IO:

```ts
// src/cli/crash-hook.ts
import { homedir } from "node:os";
import { join } from "node:path";
import { mkdirSync, writeFileSync } from "node:fs";
import { buildCrashLog } from "./crash-log-core";

const crashDir = join(homedir(), ".chorus", "crashes");

function writeCrash(err: unknown, source: string, version: string) {
  const { body, headline } = buildCrashLog({
    err,
    source,
    version,
    node: process.versions.node,
    platform: `${process.platform} ${process.arch}`,
    argv: process.argv.slice(1).join(" "),
    cwd: process.cwd(),
    uptimeMs: Math.round(process.uptime() * 1000),
  });

  // (existing mkdirSync/writeFileSync + stderr messaging here)
}

// existing process.on(...) hooks call writeCrash()
```

3. **Thin the bin crash hook down to “wire + IO” and reuse the same formatter**

In `bin/chorus.mjs`, import the compiled helper before anything else, but keep the rest minimal. You still read the version locally to avoid depending on `src`, but you no longer duplicate the log format / fields.

```js
// bin/chorus.mjs
import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
import { homedir } from "node:os";
import { fileURLToPath, pathToFileURL } from "node:url";
import { dirname, join, resolve } from "node:path";
import { buildCrashLog } from "../dist/cli/crash-log-core.js"; // tiny, prebuilt helper

const ISSUE_URL = "https://github.com/chorus-codes/chorus/issues/new";

function readChorusVersion() {
  try {
    const __dn = dirname(fileURLToPath(import.meta.url));
    const raw = readFileSync(resolve(__dn, "..", "package.json"), "utf-8");
    const parsed = JSON.parse(raw);
    return typeof parsed.version === "string" ? parsed.version : "(unknown)";
  } catch {
    return "(unknown)";
  }
}

function installCrashHook() {
  const crashDir = join(homedir(), ".chorus", "crashes");
  const version = readChorusVersion();

  const handle = (err, source) => {
    const ctx = {
      err,
      source,
      version,
      node: process.versions.node,
      platform: `${process.platform} ${process.arch}`,
      argv: process.argv.slice(1).join(" "),
      cwd: process.cwd(),
      uptimeMs: Math.round(process.uptime() * 1000),
    };

    const { body, headline } = buildCrashLog(ctx);
    // minimal duplication: mkdirSync/writeFileSync + stderr messaging
  };

  process.on("uncaughtException", (err) => handle(err, "uncaughtException"));
  process.on("unhandledRejection", (err) => handle(err, "unhandledRejection"));
}

installCrashHook();
```

This preserves:

- Early installation in the bin file before `await import(distEntry)`.
- Zero reliance on importing TS or the main CLI entrypoint.
- Identical crash log structure and messaging in both code paths, with a single source of truth for semantics.

The remaining duplication is now limited to small, obvious IO glue (where the paths differ anyway), and all formatting / fields live in one place.
</issue_to_address>

### Comment 4
<location path="src/cli/commands/diagnose.ts" line_range="302" />
<code_context>
      child = spawn(bin, ["--version"], { windowsHide: true });
</code_context>
<issue_to_address>
**security (javascript.lang.security.detect-child-process):** Detected calls to child_process from a function argument `bin`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed.

*Source: opengrep*
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5f770d88e3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Include no_review chats in diagnostics

When every reviewer fails (for example missing CLI/auth/quota exhaustion), runChat ends the chat with status = 'no_review', and those runs are exactly where _attempts.jsonl contains the failure context this new diagnose section is meant to surface. Because this query only includes failed, blocked, and cancelled, chorus diagnose reports no recent failed chats for the common all-reviewers-failed case, forcing users back into manual log collection.

Useful? React with 👍 / 👎.

[crypticpy]

Fixed in f404044 — added no_review to the IN-list (and a regression test that asserts both the status and quota_exhausted errorKind render). Good catch: no_review is exactly the all-reviewers-failed terminal state that this section was meant to surface, so the original query was reporting empty for the most useful case.

[greptile-apps]

crypticpy has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.