@beastmode-develeap/beastmode 0.1.36 → 0.1.38

package/dist/index.js

@@ -7318,7 +7318,13 @@ function generateComposeYaml(tag) {
       - ./config:/app/config
       - ./runs:/app/runs
       - ./daemon/logs:/app/daemon/logs:ro
-      - \${HOME}/.claude:/root/.claude:ro
+      # Claude credentials for the chat feature. Target /home/appuser/.claude
+      # matches the ui image's USER appuser (cli/Dockerfile sets HOME to
+      # /home/appuser); the entrypoint restores .claude.json from the
+      # newest backup in this dir at startup so chat works across container
+      # restarts. Pre-2026-04-15 this used /root/.claude, which silently
+      # broke chat because appuser couldn't read those files.
+      - \${HOME}/.claude:/home/appuser/.claude:ro
     depends_on:
       board:
         condition: service_healthy
@@ -7337,6 +7343,15 @@ function generateComposeYaml(tag) {
       - BEASTMODE_ROOT=/app
       - BEASTMODE_BOARD_URL=http://board:8080
     volumes:
+      # Factory state (projects, extensions, deploy strategies). Shared
+      # with the ui container so Settings UI edits AND daemon-side
+      # template seeding (from project-templates/) both land in the same
+      # bind-mounted location. Pre-2026-04-15 this mount was missing
+      # from the daemon service, which silently caused the daemon's
+      # template-seeding logic to write to ephemeral in-container
+      # storage \u2014 the seeded files were invisible to the ui and lost
+      # on restart.
+      - ./.beastmode:/app/.beastmode
       # Daemon config files. Mounted from the host so Settings UI writes
       # (to beastmode.docker.json) are picked up on daemon restart without
       # rebuilding the image.
@@ -7384,7 +7399,25 @@ function step(n, total, text) {
 }
 
 // src/cli/commands/init.ts
-var initCommand = new Command("init").description("Create a new BeastMode factory").argument("[name]", "Factory name (default: current directory name)").option("--project <path>", "Path to target project").option("--preset <preset>", "Pipeline preset (full, lean, prototype, infra, docs)").option("--backend <backend>", "Task backend (beastmode-board, github-issues)").option("--deploy <target>", "Deploy target (pr-only, vercel, aws-ecs, ...)").option("--methodology <name>", "Development methodology plugin").option("--plugin <name>", "Install plugin (repeatable)", collect, []).option("--from <template>", "Import config from template file").option("--ui", "Open web wizard instead of CLI").option("--yes", "Accept all defaults (non-interactive)").option("--github-token <token>", "GitHub PAT (avoids interactive prompt)").option("--github-token-file <path>", "Read GitHub PAT from file (safer than --github-token)").option("--board-password <password>", "Board UI password (avoids interactive prompt)").option("--board-password-file <path>", "Read board password from file").action(async (name, opts) => {
+var initCommand = new Command("init").description("Create a new BeastMode factory").argument("[name]", "Factory name (default: current directory name)").option("--project <path>", "Path to target project").option("--preset <preset>", "Pipeline preset (full, lean, prototype, infra, docs)").option("--backend <backend>", "Task backend (beastmode-board, github-issues)").option("--deploy <target>", "Deploy target (pr-only, vercel, aws-ecs, ...)").option("--methodology <name>", "Development methodology plugin").option("--plugin <name>", "Install plugin (repeatable)", collect, []).option("--from <template>", "Import config from template file").option("--ui", "Open web wizard instead of CLI").option("--yes", "Accept all defaults (non-interactive)").option(
+  "--project-github-token <token>",
+  "GitHub PAT for the daemon's project operations (commit/push/PR/merge against PROJECT_DIR's git remote \u2014 needs `repo` scope). Alias for the legacy --github-token flag."
+).option(
+  "--project-github-token-file <path>",
+  "Read project GitHub PAT from file (safer than --project-github-token)"
+).option(
+  "--github-token <token>",
+  "Deprecated alias for --project-github-token. Kept for backward compat."
+).option(
+  "--github-token-file <path>",
+  "Deprecated alias for --project-github-token-file. Kept for backward compat."
+).option(
+  "--ghcr-pull-token <token>",
+  "GitHub PAT for pulling private beastmode images from ghcr.io/develeap/beastmode/* \u2014 needs `read:packages` scope. May be the same as --project-github-token but should normally be a separate dedicated token (Gap 16)."
+).option(
+  "--ghcr-pull-token-file <path>",
+  "Read GHCR pull token from file (safer than --ghcr-pull-token)"
+).option("--board-password <password>", "Board UI password (avoids interactive prompt)").option("--board-password-file <path>", "Read board password from file").action(async (name, opts) => {
   try {
     await runInit(name, opts);
   } catch (err) {
@@ -7699,23 +7732,44 @@ async function runImageModeInit(name, opts) {
   const factoryName = name || ".";
   const targetDir = resolve5(factoryName === "." ? "." : factoryName);
   step(1, totalSteps, "Credentials");
-  let githubToken = opts.githubToken || (opts.githubTokenFile ? readSecretFile(opts.githubTokenFile) : "") || process.env.GITHUB_TOKEN || "";
-  if (!githubToken && !opts.yes) {
+  let projectGithubToken = opts.projectGithubToken || (opts.projectGithubTokenFile ? readSecretFile(opts.projectGithubTokenFile) : "") || opts.githubToken || (opts.githubTokenFile ? readSecretFile(opts.githubTokenFile) : "") || process.env.PROJECT_GITHUB_TOKEN || process.env.GITHUB_TOKEN || "";
+  if (!projectGithubToken && !opts.yes) {
+    const answer = await inquirer.prompt([
+      {
+        type: "password",
+        name: "token",
+        message: "PROJECT_GITHUB_TOKEN (PAT for project commits/pushes/PRs \u2014 `repo` scope, or `public_repo` for public-only):",
+        mask: "*"
+      }
+    ]);
+    projectGithubToken = answer.token || "";
+  }
+  if (projectGithubToken) {
+    success("PROJECT_GITHUB_TOKEN set");
+  } else {
+    warn("PROJECT_GITHUB_TOKEN not set \u2014 daemon's git operations will fail until added to .env");
+  }
+  let ghcrPullToken = opts.ghcrPullToken || (opts.ghcrPullTokenFile ? readSecretFile(opts.ghcrPullTokenFile) : "") || process.env.GHCR_PULL_TOKEN || "";
+  if (!ghcrPullToken && !opts.yes) {
     const answer = await inquirer.prompt([
       {
         type: "password",
         name: "token",
-        message: "GITHUB_TOKEN (PAT with repo + workflow scopes):",
+        message: "GHCR_PULL_TOKEN (PAT for pulling private beastmode images from ghcr.io/develeap/beastmode/* \u2014 `read:packages` scope. Leave empty to fall back to the project token):",
         mask: "*"
       }
     ]);
-    githubToken = answer.token || "";
+    ghcrPullToken = answer.token || "";
   }
-  if (githubToken) {
-    success("GITHUB_TOKEN set");
+  if (!ghcrPullToken && projectGithubToken) {
+    ghcrPullToken = projectGithubToken;
+    info("GHCR_PULL_TOKEN: falling back to PROJECT_GITHUB_TOKEN (you can split them later in .env)");
+  } else if (ghcrPullToken) {
+    success("GHCR_PULL_TOKEN set");
   } else {
-    warn("GITHUB_TOKEN not set \u2014 add to .env later");
+    warn("GHCR_PULL_TOKEN not set \u2014 `docker compose pull` will fail for private images. Add to .env later.");
   }
+  const githubToken = projectGithubToken;
   let uiPassword = opts.boardPassword || (opts.boardPasswordFile ? readSecretFile(opts.boardPasswordFile) : "") || "";
   if (!uiPassword && !opts.yes) {
     const { password } = await inquirer.prompt([
@@ -7772,12 +7826,15 @@ async function runImageModeInit(name, opts) {
   }
   step(2, totalSteps, "Docker Registry");
   if (!isGhcrAuthenticated()) {
-    if (githubToken && loginToGhcr(githubToken)) {
-      success("Authenticated to ghcr.io (via GitHub token)");
+    const tokenForLogin = ghcrPullToken || projectGithubToken;
+    if (tokenForLogin && loginToGhcr(tokenForLogin)) {
+      success(
+        `Authenticated to ghcr.io (via ${ghcrPullToken ? "GHCR_PULL_TOKEN" : "PROJECT_GITHUB_TOKEN fallback"})`
+      );
     } else {
       info("Not logged in to ghcr.io \u2014 images may still pull if public");
       info("  To log in manually: docker login ghcr.io -u <your-github-username>");
-      if (!opts.yes && !opts.githubToken) {
+      if (!opts.yes && !opts.githubToken && !opts.projectGithubToken && !opts.ghcrPullToken) {
         const { retry } = await inquirer.prompt([
           {
             type: "confirm",
@@ -7802,23 +7859,44 @@ async function runImageModeInit(name, opts) {
   success("docker-compose.yml");
   const envLines = [
     "# BeastMode environment \u2014 DO NOT COMMIT",
-    `GITHUB_TOKEN=${githubToken}`,
+    "",
+    "# \u2500\u2500 Project credentials (Gap 16 \u2014 two-PAT model) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
+    "# PROJECT_GITHUB_TOKEN: used by the daemon and Claude to commit /",
+    "# push / open PRs / merge / review against the target project repo.",
+    "# Needs `repo` scope for private repos, `public_repo` for public.",
+    "# Aliased to GITHUB_TOKEN for backward compat with the gh CLI and",
+    "# any code that still reads GITHUB_TOKEN.",
+    `PROJECT_GITHUB_TOKEN=${projectGithubToken}`,
+    `GITHUB_TOKEN=${projectGithubToken}`,
+    "",
+    "# GHCR_PULL_TOKEN: used by `docker compose pull` to fetch the",
+    "# beastmode factory images from ghcr.io/develeap/beastmode/*.",
+    "# Maintainer-provided (shared across a team) or your own PAT with",
+    "# `read:packages` scope added. Rotates rarely. May be the same as",
+    "# PROJECT_GITHUB_TOKEN but is normally a separate dedicated token.",
+    `GHCR_PULL_TOKEN=${ghcrPullToken}`,
+    "",
     `BEASTMODE_UI_PASSWORD=${uiPassword}`,
     "",
-    "# Project repo path \u2014 the daemon's git operations target the git remote of this path.",
+    "# \u2500\u2500 Project location \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
+    "# Required. The daemon's git operations target the git remote of",
+    "# this path. The daemon auto-resolves the github repo from",
+    "# `git -C $PROJECT_DIR remote get-url origin` at startup.",
     `PROJECT_DIR=${projectPath}`,
     "",
-    "# Optional: uncomment for faster direct API calls",
+    "# \u2500\u2500 Optional \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
+    "# Uncomment for faster direct Anthropic API calls (bypasses the",
+    "# Claude Code subscription auth via ~/.claude.json).",
     "# ANTHROPIC_API_KEY=sk-ant-...",
     "",
-    "# Optional: last-resort override if the daemon's auto-resolution",
+    "# Last-resort override if the daemon's project_repo auto-resolution",
     "# (git remote get-url origin) doesn't work for your setup.",
     "# The daemon handles this automatically in >99% of cases.",
     "# PROJECT_REPO=owner/repo",
     ""
   ];
   writeFileSync13(join15(targetDir, ".env"), envLines.join("\n"), "utf-8");
-  success(`.env (PROJECT_DIR=${projectPath})`);
+  success(`.env (PROJECT_DIR=${projectPath}, two-PAT model)`);
   for (const dir of ["data", "runs", "daemon/logs", ".beastmode", "config"]) {
     mkdirSync12(join15(targetDir, dir), { recursive: true });
   }
@@ -8725,6 +8803,185 @@ function checkGithubToken(env) {
   }
   return { label: "GITHUB_TOKEN / GH_TOKEN", status: "pass", detail: "set" };
 }
+async function checkProjectGithubToken(env, factoryDir) {
+  const token = env.PROJECT_GITHUB_TOKEN || env.GITHUB_TOKEN;
+  if (!token) {
+    return {
+      label: "PROJECT_GITHUB_TOKEN",
+      status: "fail",
+      detail: "not set in env (or factory .env)",
+      fix: "Add PROJECT_GITHUB_TOKEN=ghp_... to .env (needs `repo` scope for private, `public_repo` for public)"
+    };
+  }
+  let ownerRepo = null;
+  if (factoryDir) {
+    const envPath = join22(factoryDir, ".env");
+    if (existsSync24(envPath)) {
+      try {
+        const content = readFileSync21(envPath, "utf-8");
+        const dirLine = content.split("\n").find(
+          (l) => l.trim().startsWith("PROJECT_DIR=") && !l.trim().startsWith("#")
+        );
+        if (dirLine) {
+          const projectDir = dirLine.split("=").slice(1).join("=").trim();
+          if (projectDir && existsSync24(join22(projectDir, ".git"))) {
+            const remote = tryExec(
+              `git -C "${projectDir}" remote get-url origin 2>/dev/null`
+            );
+            if (remote) {
+              const m = remote.match(
+                /(?:https?:\/\/[^/]+\/|git@[^:]+:)([^/\s]+)\/([^/\s]+?)(?:\.git)?\/?$/
+              );
+              if (m) ownerRepo = `${m[1]}/${m[2]}`;
+            }
+          }
+        }
+      } catch {
+      }
+    }
+  }
+  const apiPath = ownerRepo ? `/repos/${ownerRepo}` : "/user";
+  const result = await new Promise((resolveProm) => {
+    const req = https.request(
+      {
+        hostname: "api.github.com",
+        path: apiPath,
+        method: "GET",
+        headers: {
+          "User-Agent": "beastmode-doctor",
+          Authorization: `Bearer ${token}`,
+          Accept: "application/vnd.github+json"
+        },
+        timeout: 8e3
+      },
+      (res) => {
+        let data = "";
+        res.on("data", (chunk) => {
+          data += chunk;
+        });
+        res.on("end", () => {
+          let canPush = null;
+          try {
+            const parsed = JSON.parse(data);
+            if (parsed.permissions && typeof parsed.permissions.push === "boolean") {
+              canPush = parsed.permissions.push;
+            }
+          } catch {
+          }
+          resolveProm({ status: res.statusCode ?? 0, canPush });
+        });
+      }
+    );
+    req.on("error", () => resolveProm({ status: 0, canPush: null }));
+    req.on("timeout", () => {
+      req.destroy();
+      resolveProm({ status: 0, canPush: null });
+    });
+    req.end();
+  });
+  if (result.status === 0) {
+    return {
+      label: "PROJECT_GITHUB_TOKEN",
+      status: "warn",
+      detail: "set but api.github.com unreachable (network issue?)"
+    };
+  }
+  if (result.status === 401 || result.status === 403) {
+    return {
+      label: "PROJECT_GITHUB_TOKEN",
+      status: "fail",
+      detail: `invalid (HTTP ${result.status}${ownerRepo ? ` for ${ownerRepo}` : ""})`,
+      fix: "Check the token at https://github.com/settings/tokens \u2014 needs `repo` scope (or `public_repo` for public repos only)"
+    };
+  }
+  if (result.status === 404 && ownerRepo) {
+    return {
+      label: "PROJECT_GITHUB_TOKEN",
+      status: "fail",
+      detail: `cannot access ${ownerRepo} (HTTP 404 \u2014 repo missing or token has no read permission)`,
+      fix: "Verify the token has access to the target repo + the repo URL is correct in PROJECT_DIR"
+    };
+  }
+  if (result.status >= 200 && result.status < 300) {
+    if (ownerRepo && result.canPush === true) {
+      return {
+        label: "PROJECT_GITHUB_TOKEN",
+        status: "pass",
+        detail: `valid + write access to ${ownerRepo}`
+      };
+    }
+    if (ownerRepo && result.canPush === false) {
+      return {
+        label: "PROJECT_GITHUB_TOKEN",
+        status: "fail",
+        detail: `valid but NO write access to ${ownerRepo}`,
+        fix: "The token's user is not a collaborator on the target repo OR the token lacks `repo` scope"
+      };
+    }
+    return {
+      label: "PROJECT_GITHUB_TOKEN",
+      status: "pass",
+      detail: ownerRepo ? `valid (couldn't determine permissions \u2014 repo response had no permissions field)` : `valid (skipped per-repo check \u2014 no PROJECT_DIR resolvable)`
+    };
+  }
+  return {
+    label: "PROJECT_GITHUB_TOKEN",
+    status: "warn",
+    detail: `HTTP ${result.status}`
+  };
+}
+function checkGhcrPullToken(env) {
+  const token = env.GHCR_PULL_TOKEN;
+  if (!token) {
+    if (env.GITHUB_TOKEN || env.PROJECT_GITHUB_TOKEN) {
+      return {
+        label: "GHCR_PULL_TOKEN",
+        status: "warn",
+        detail: "not set; falling back to PROJECT_GITHUB_TOKEN (works if it has read:packages scope)",
+        fix: "Set GHCR_PULL_TOKEN=ghp_... in .env for a dedicated read-only token (read:packages scope)"
+      };
+    }
+    return {
+      label: "GHCR_PULL_TOKEN",
+      status: "fail",
+      detail: "not set \u2014 `docker compose pull` cannot fetch private beastmode images",
+      fix: "Set GHCR_PULL_TOKEN=ghp_... in .env (read:packages scope)"
+    };
+  }
+  const loggedIn = tryExec("docker login ghcr.io --get-login 2>/dev/null");
+  if (!loggedIn) {
+    return {
+      label: "GHCR_PULL_TOKEN",
+      status: "warn",
+      detail: "set in env but docker is not logged in to ghcr.io",
+      fix: "Run `docker login ghcr.io -u <github-username> --password-stdin <<< $GHCR_PULL_TOKEN`"
+    };
+  }
+  const inspect = tryExec(
+    "docker manifest inspect ghcr.io/develeap/beastmode/board:latest 2>&1",
+    15e3
+  );
+  if (inspect && (inspect.includes("schemaVersion") || inspect.includes("mediaType"))) {
+    return {
+      label: "GHCR_PULL_TOKEN",
+      status: "pass",
+      detail: `valid (logged in as ${loggedIn}, can pull beastmode images)`
+    };
+  }
+  if (inspect && inspect.includes("denied")) {
+    return {
+      label: "GHCR_PULL_TOKEN",
+      status: "fail",
+      detail: "logged in but lacks read:packages scope (denied)",
+      fix: "Generate a new PAT at https://github.com/settings/tokens with `read:packages` scope"
+    };
+  }
+  return {
+    label: "GHCR_PULL_TOKEN",
+    status: "warn",
+    detail: `logged in as ${loggedIn} but image inspect didn't return a manifest`
+  };
+}
 function checkDocker() {
   const out = tryExec("docker info --format '{{.ServerVersion}}' 2>/dev/null");
   if (out) {
@@ -9359,6 +9616,8 @@ var doctorCommand = new Command11("doctor").description("Health check \u2014 val
   const checks = [];
   checks.push(...await checkClaudeAuth(env.ANTHROPIC_API_KEY));
   checks.push(checkGithubToken(env));
+  checks.push(await checkProjectGithubToken(env, hasFactory ? factoryDir : null));
+  checks.push(checkGhcrPullToken(env));
   checks.push(checkDocker());
   checks.push(checkDockerComposeVersion());
   checks.push(checkGhcrAuth());