feat(automations): Automation Engine — Phase 1a (#3653)

[Yeraze]

Automation Engine — Phase 1a (#3653)

A generic, global "when this happens, do that" automation system for MeshMonitor — Home Assistant / Node-RED / IFTTT-inspired, replacing hardcoded automations. Applies across all sources (like Map Analysis). Built on a graph data model with an IFTTT/Maintainerr-style linear builder (drag-and-drop canvas deferred to Phase 2).

Design doc: docs/internal/dev-notes/AUTOMATION_ENGINE_PLAN.md.

Screenshots

The builder + in-app Test panel (dry-run: "Trigger matched · completed", no IO, nothing saved)

IFTTT/Maintainerr-style builder — WHEN → RULE (IF/THEN) → optional FINALLY combine

Automations list  ·  Variables help drawer (types & scopes)

Highlights

Engine (server) — event-driven off dataEventEmitter; per-automation trigger index; topological graph evaluation with condition routing (If/ElseIf/Else), fanout/collapse (map/reduce: ANY/ALL/NONE), cooldown throttle, per-run action cap, and a run-log. All mesh IO is injected (ActionDeps) so the pipeline is fully unit-tested.

Triggers — message · node discovered · node updated · telemetry · schedule · system (bootup / source online / source offline / upgrade available) · geofence (enter / exit / dwell).

Conditions — numeric (event field / hydrated node field / latest telemetry, all ops, variable operands) · string (message text, node longName/shortName/roleName, all ops) · source filter · distance from a point · variable / flag · time-of-day.

Actions — tapback · send message (channel/DM, reply-to-trigger, interpolation) · node manage (favorite/ignore/delete) · notify via Apprise.

User-defined variables — types string/integer/float/boolean/flag (flag = auto-clearing boolean for anti-spam) · scopes global/source/node/sourceNode · readonly constants vs dynamic · with an in-UI help drawer.

In-app Test / dry-run — POST /api/automations/test: run a workflow against a synthetic event with no mesh IO, no Apprise dispatch, no persistence. Returns the full trace (trigger match, per-condition verdicts, resolved action params, simulated variable writes). Surfaced as a ▶ Test panel in the builder so authors preview a rule before saving — and reused as the deterministic substrate for no-hardware system tests.

Apprise — action.notify dispatches through appriseNotificationService.notifyDirect (per-source → global → APPRISE_URL → bundled :8000), with optional inline Apprise URL(s) + severity.

Data model — 4 global tables (automations, automation_runs, automation_variables, automation_variable_values) across SQLite/PostgreSQL/MySQL (migrations 098/099), registered in the migrate-db CLI table order.

Testing

• Full Vitest suite green (7,304 passed, 0 failed). New unit suites cover the evaluator, condition evaluator, trigger context, variable resolver/codec, compile/decompile, geofence, Apprise notifyDirect, the engine service (incl. system-event prefilter + geofence + notify-failure), and the simulator.
• Deterministic no-hardware system tests built on the test endpoint: tests/automation/{lib.sh,test-triggers.sh,test-conditions.sh} — 24 live assertions passing against a deployed container.

Scope / follow-ups (Phase 1b+)

• MeshCore triggers/fields in the engine; "upgrade available" wired only via the version-check route so far.
• flow.delay / stateful waits; visual drag-and-drop canvas; remaining system-test batches (flow/map-reduce, actions w/ Apprise stub, lifecycle, MQTT smoke).

🤖 Generated with Claude Code

[github-actions]

Claude finished @Yeraze's task —— View job

---

PR Review: Automation Engine — Phase 1a

Tasks:

• Gather context and understand the PR
• Review types and data model
• Review engine services (evaluators, executors)
• Review routes and API
• Review DB schema and migrations
• Review frontend components
• Review test coverage
• Compile final feedback

---

This is a substantial, well-architected feature. Overall code quality is high — the dependency-injected engine, the strong type model, the three-DB migration support, and the comprehensive test coverage all reflect mature engineering. The items below are observations and suggestions, not blockers.

---

Code Quality & Architecture

Strengths:

• Excellent separation of concerns: AutomationEngineService orchestrates but delegates mesh IO via ActionDeps, graph walking via graphEvaluator, and condition evaluation via conditionEvaluator. Each is independently testable.
• The validateAutomationGraph function in src/types/automation.ts returns structured errors instead of throwing — good pattern for import UIs.
• The SimVariableResolver design (record writes, read through to real DB) is clean and makes dry-runs reliable.
• Topological sort using Kahn's algorithm before walking the DAG is correct and efficient.
• The getSubjectNode memo (ctx.__nodeP) in engineContext.ts:66 avoids redundant DB lookups across conditions in the same run — nice detail.

Observations:

1. any casts in the engine (automationEngineService.ts:110, automationEngineService.ts:233, automationEngineService.ts:249):

   const cooldownSeconds = Number((triggerNode.params as any)?.cooldownSeconds ?? 0) || 0;
   const want = (a.triggerNode.params as any)?.telemetryType;

   These are casting params?: Record<string, unknown> to any to read typed sub-fields. Since params is already typed as Record<string, unknown>, you can avoid any with a narrowing helper or a typed interface per trigger param set. This is minor but these appear in several places across the engine services.

2. Double step push on condition error (graphEvaluator.ts:157-160):

   } catch (e: any) {
     result = false;
     steps.push({ nodeId, type: node.type, outcome: 'condition:false', error: e?.message }); // ← pushed on error
   }
   conditionResults[nodeId] = result;
   steps.push({ nodeId, type: node.type, outcome: result ? 'condition:true' : 'condition:false' }); // ← pushed again unconditionally

   When a condition throws, two steps are pushed for the same node — one with the error and one without. The error details are on the first record but the second (sans error) is also written. Consider guarding the second push with } else { or merging into a single push.

3. In-memory geofence state leaks (automationEngineService.ts:79):

   private geofenceState = new Map<string, boolean>();

   The geofenceState map grows unbounded as nodes come and go. For deployments with thousands of tracked nodes and many geofence automations, this could accumulate stale entries. A simple LRU or periodic TTL-based eviction would be prudent once the feature gets broader use.

4. lastFired map also unbounded (automationEngineService.ts:77):
   Similar concern — every automation that ever fires adds an entry keyed by automationId. This is less risky (bounded by automation count) but worth noting for completeness.

---

Potential Bugs

5. Cooldown fires before the run succeeds (automationEngineService.ts:169-172):

   if (!this.cooledDown(a, now)) continue;
   this.lastFired.set(a.id, now);   // ← recorded before the await
   fired++;
   await this.fireAutomation(a, ctx, now);

   The cooldown timestamp is stamped before fireAutomation is awaited. If the run throws (caught inside fireAutomation) or if it writes a failed run-log, the cooldown still advances as if it succeeded. This is a deliberate tradeoff (prevents retry storms), but it means a flapping source that repeatedly throws will eat the full cooldown. Worth a comment clarifying this is intentional.

6. trigger.nodeDiscovered is never actually emitted (automationEngineSingleton.ts:103-113):

   case 'node:updated': {
     // ...
     await e.onNode('trigger.nodeUpdated', nodeNum, changed, sourceId);

   The comment says "Discovered vs updated detection (isNew) is deferred to a later phase" — both node:updated events are emitted as nodeUpdated. Any automation with a trigger.nodeDiscovered trigger will therefore never fire. This should be documented more prominently in the UI or the trigger type should be greyed out until Phase 1b.

7. regex condition is untested against ReDoS (conditionEvaluator.ts:41, triggerContext.ts:172):

   case 'regex':
     try { return new RegExp(b).test(a); } catch { return false; }

   And in the trigger pre-filter:

   re = new RegExp(params.regex);

   User-supplied regex patterns are compiled and evaluated on every matching message/event. A pathological pattern (ReDoS) can block the Node.js event loop. Consider using a timeout-based approach or a linear-time regex library for user-supplied patterns, or at minimum add a length cap.

8. condition.logical recurses with raw sub-nodes (conditionEvaluator.ts:134):

   const subs = Array.isArray(p.conditions) ? (p.conditions as AutomationNode[]) : [];

   The p.conditions array is pulled straight from params (unvalidated Record<string, unknown>). The graph validator (validateAutomationGraph) does not validate nested condition.logical sub-nodes — they're invisible to the DAG. A deeply nested or circular logical structure could cause a stack overflow. A depth limit and type-guard here would make this safer.

9. action.sendMessage missing channel bound-check (actionExecutor.ts:61):

   const channel = p.channel != null ? Number(p.channel) : triggerChannel;

   No validation that channel is in [0, 7] (Meshtastic channel range). An out-of-range channel would be silently forwarded to the manager. Minor but worth a clamp or validation.

---

Security Concerns

10. POST /api/automations/test accepts arbitrary configs (automationRoutes.ts:147):
    This endpoint parses and validates the config graph but then calls simulateAutomation with liveData: createMeshNodeDataProvider() — meaning it queries the live database for node/telemetry data even during a dry-run. This is appropriate design, but note that a user with automations:write can probe any node's data by crafting a condition.numeric { field: "node.batteryLevel", nodeNum: X } and checking if the condition returns true/false. It's effectively an enumeration side-channel. Acceptable given the write permission gate, but worth being aware of.

11. No size limit on config or log columns: An automation config that generates a flow.fanout with 50 rules, each with 50 actions, stays within maxActions: 50 but can still produce a very large log JSON blob per run. The automation_runs.log column is TEXT with no length check at the application layer. This isn't a security issue per se but could bloat the DB on prolific automations.

12. Apprise URL injection via interpolation (actionExecutor.ts:91-92):

    const rawUrls = typeof p.urls === 'string' ? await interpolateAsync(p.urls, ctx) : '';
    const urls = rawUrls.split(/[\n,]/).map((u) => u.trim()).filter((u) => u.length > 0);

    A {{ trigger.text }} in the urls field lets a mesh message inject arbitrary Apprise service URLs. A bad actor who can send messages on a monitored channel could craft a payload that redirects notifications to an attacker-controlled endpoint. Consider stripping {{ }} interpolation from the urls field or limiting it to {{ var.* }} paths only.

---

Performance

13. Every trigger event hits all enabled automations (automationEngineService.ts:162):
    The pre-filters (message regex, telemetry type, system event) are cheap, but getSubjectNode / getTelemetry go to the database. For high-traffic deployments (MQTT relay with thousands of messages/second), each message fires listEnabledAutomations ... wait, no — the index is cached in memory. That's fine. But every onMessage call that passes the pre-filter will run fireAutomation, which awaits evaluateGraph, which calls getSubjectNode (DB query) if any condition references node.*. Consider lazy-loading: only hydrate the subject node when a condition actually needs it (which getSubjectNode's memo already does, but the DB call is always synchronous with the event handling path). This is fine for typical deployments; just note it for MQTT-scale.

14. reloadAutomations() on every CRUD mutation (automationRoutes.ts:220, 260, 271, 282, 296):
    Each create/update/enable/disable/delete calls reloadAutomations(), which re-queries all enabled automations and rebuilds the entire index. For large automation sets (hundreds), this is a full-table scan per mutation. An incremental update (add/remove individual entries) would scale better. Not an issue for the expected Phase 1a scale, but a future consideration.

---

Test Coverage

Strengths:

• 7,304 tests passing; dedicated suites for evaluator, conditions, triggers, variables, geofence, simulator, and Apprise.
• Deterministic system test harness against the live container is an excellent approach.

Gaps:
15. No test for the double-step-push bug (point 2 above) — add a test asserting steps.length === 1 when a condition throws.
16. condition.logical deep nesting — no test for recursion depth; a depth=3+ nested logical with circular reference isn't covered.
17. trigger.nodeDiscovered never fires — no test asserting this edge case; a comment or a skipped test would document the known gap.
18. ReDoS guard — no tests for pathological regex patterns in condition.string or message trigger pre-filters.

---

Minor / Nits

19. automationRoutes.ts:86 UNIQUE detection is fragile:

    if (String(error?.message).includes('UNIQUE')) {

    This works for SQLite but PostgreSQL error messages say "duplicate key value violates unique constraint" (no "UNIQUE"). MySQL says "Duplicate entry". If the automation_variables.name unique constraint is ever violated on PostgreSQL or MySQL, a 409 won't be returned — it'll fall through to a 500. Either use a consistent error code check or catch per-driver.

20. automationEngineSingleton.ts module-level mutable state (let engine, let subscribed, let lastUpgradeNotified): This is a standard singleton pattern for Node.js, but subscribed is a process-global flag that means calling startAutomationEngine() twice in a test will silently not re-subscribe. The idempotency guard is correct but unit tests that call startAutomationEngine multiple times in the same process will share this state.

21. AutomationsPage.tsx:87 uses confirm() and alert(): Browser-native modals block the main thread and are unavailable in some embedded/WebView contexts. The existing app codebase likely has a toast/modal component — using that would be more consistent.

22. compile.ts node IDs are positional and not UUIDs (e.g. 't', 'c0', 'r0c0'): These are deterministic and human-readable, which is nice for debugging and the test suite. However, an imported and re-saved automation will re-compile with the same IDs, making it impossible to distinguish nodes in the run log by ID alone if two automations use the same graph shape. Not a bug, but worth noting.

---

Summary: This is a production-quality Phase 1a implementation. The architecture is sound, the test coverage is thorough, and the design decisions (global automations, source-filter block for scoping, dry-run simulator) are well-reasoned. The most actionable items before a 1.0 stamp would be the double-step bug (#2), the Apprise URL injection via interpolation (#12), the trigger.nodeDiscovered dead trigger (#6), and the UNIQUE error detection across DBs (#19). The ReDoS concern (#7) is the one worth tracking as a security item.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude finished @Yeraze's task —— View job

---

PR Review: Automation Engine — Phase 1a

Tasks:

• Gather context and understand the PR
• Review engine services (evaluators, trigger context, action executor)
• Review routes and API security
• Review DB schema and migrations
• Review frontend components
• Review test coverage
• Compile final feedback

---

This is a substantial, well-architected feature. The architecture is sound, the CodeQL concerns from the initial review have been resolved in the code, and the test coverage is thorough. Below is my independent review.

---

What's Been Addressed Well (compared to initial concerns)

ReDoS (CodeQL alert) — triggerContext.ts:174 and conditionEvaluator.ts:43 both now use compileUserRegex() backed by RE2 (linear-time regex engine). The safeRegex.ts module clearly documents the trade-off and resolves the CodeQL js/regex-injection alert. ✅

Property injection (CodeQL alert) — graphEvaluator.ts:111-195 uses a Map<string, boolean> for conditionResults internally, and serializes to a plain object via Object.fromEntries only on return. The comment explicitly references the __proto__/constructor injection risk. ✅

Double-step push bug — The previous review flagged a double push on condition error. Reading the actual code at graphEvaluator.ts:155-165, this has been fixed: a single steps.push handles both the success and error case using spread syntax (...(error ? { error } : {})). ✅

Apprise URL injection — actionExecutor.ts:92 uses interpolateAsync(p.urls, ctx, { varsOnly: true }) which, per engineContext.ts:94, blocks non-var.* paths. trigger.* cannot be injected into Apprise URLs. ✅

UNIQUE error detection across DBs — automationRoutes.ts:88-89 lowercases the error message and checks for both 'unique' and 'duplicate', covering SQLite, PostgreSQL, and MySQL. ✅

---

Remaining Issues

1. trigger.nodeDiscovered is dead code (automationEngineSingleton.ts:103-108)

case 'node:updated': {
  await e.onNode('trigger.nodeUpdated', nodeNum, changed, sourceId);
  // trigger.nodeDiscovered is never emitted
}

Both node:updated events are dispatched as trigger.nodeUpdated. Any automation with trigger.nodeDiscovered will silently never fire. The UI's catalog (catalog.ts) exposes this trigger type to users with no indication it's inactive. This should either:

• Be clearly documented/greyed out in the UI
• Have a skipped/todo test documenting the gap

2. any casts for trigger params (automationEngineService.ts:110, 233, 249)

const cooldownSeconds = Number((triggerNode.params as any)?.cooldownSeconds ?? 0) || 0;
const want = (a.triggerNode.params as any)?.telemetryType;

params is typed as Record<string, unknown>, so (params as any) is unnecessary — params?.cooldownSeconds or params?.['cooldownSeconds'] directly reads the value with the same runtime behavior but avoids suppressing type safety. Minor but appears three times.

3. Unbounded in-memory geofence state (automationEngineService.ts:79)

private geofenceState = new Map<string, boolean>();

Keys are ${automationId}:${nodeNum}. In high-traffic MQTT deployments, with thousands of nodes and multiple geofence automations, this map grows without bound. Stale entries for deleted nodes/automations are never evicted. Acceptable for Phase 1a, but worth a // TODO: evict comment at minimum.

4. condition.logical depth not capped (conditionEvaluator.ts:134-143)

case 'condition.logical': {
  const subs = Array.isArray(p.conditions) ? (p.conditions as AutomationNode[]) : [];
  // ... recursive evaluateCondition(subs[0], ctx)

Nested condition.logical sub-nodes are not DAG nodes — they're raw params.conditions arrays outside the validator's view. A pathologically deep or circular structure causes unbounded recursion. The graph validator (validateAutomationGraph) doesn't inspect these. A depth cap of ~5 levels would prevent stack overflow from adversarial/malformed configs.

5. action.sendMessage channel not clamped (actionExecutor.ts:61)

const channel = p.channel != null ? Number(p.channel) : triggerChannel;

No validation that channel ∈ [0, 7]. An out-of-range value is silently forwarded to the manager. A Math.max(0, Math.min(7, channel)) clamp would be defensive.

6. No foreign key between automation_runs.automationId and automations.id (migrations 098)

Neither the SQLite, PostgreSQL, nor MySQL migration creates an FK constraint between automation_runs.automationId and automations.id. Orphaned run rows will accumulate when automations are deleted (the repository's deleteAutomation doesn't cascade-delete runs). This is probably deliberate for performance/flexibility, but it means listRuns can return rows for deleted automations with no corresponding parent.

7. reloadAutomations() on every mutation is a full rebuild (automationRoutes.ts:223, 263, 274, 285, 296)

Every create/update/enable/disable/delete rebuilds the entire automation index from a full table scan. For Phase 1a scale this is fine. Worth noting for future work with larger automation sets.

8. confirm() / alert() in UI (AutomationsPage.tsx:87, 91)

const remove = async (a: Automation) => { if (!confirm(...)) return; ...
alert('Exported JSON copied to clipboard.');

Browser-native confirm()/alert() block the main thread and are unavailable in some embedded/WebView contexts. The existing app appears to have toast/modal patterns — using those would be more consistent. Low priority nit.

9. trigger.schedule is declared but never wired (automationEngineSingleton.ts, automationEngineService.ts)

trigger.schedule appears in TRIGGER_TYPES and the catalog but there's no cron/interval emitter anywhere in the singleton. Like trigger.nodeDiscovered, a user creating a schedule automation will have it silently never fire. Same recommendation: grey it out in the UI or add a visible "coming soon" label.

---

Test Coverage Assessment

Strong areas:

• graphEvaluator.test.ts — 281 lines, covers fanout/collapse/action capping/error handling
• conditionEvaluator.test.ts — covers numeric, string, distance, time range, variable conditions
• automationSimulator.test.ts — end-to-end dry-run coverage
• automationEngineService.test.ts — covers geofence, system prefilter, cooldown
• variableResolver.test.ts + variableCodec.test.ts — thorough codec/resolver coverage

Gaps:

• No test asserting trigger.nodeDiscovered never fires (documents the known limitation)
• No test for condition.logical with depth > 2 (recursion safety)
• No test for trigger.schedule being a no-op
• graphEvaluator.test.ts could add a case asserting steps.length === 1 when a condition throws (verify no double-push regression)

---

Summary

The implementation is production-quality for Phase 1a. The critical security concerns from the initial review (ReDoS, property injection, Apprise URL injection) have all been properly addressed. The most actionable remaining items before a 1.0 stamp:

1. trigger.nodeDiscovered + trigger.schedule dead triggers — UI should indicate these are inactive (feat: telemetry parsing, direct messages, danger zone, and UX improvements #6, feat: Add GitHub Container Registry publishing and pre-built images #9)
2. condition.logical depth limit — add a recursion guard (feat: traceroute request tracking and auth documentation #4)
3. Run log size — automation_runs.log has no application-level size cap; prolific automations can generate large blobs
4. any casts — minor cleanup (feat: traceroute highlighting and UI improvements #2)