@inetafrica/open-claudia 1.13.4 → 1.14.0

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## v1.14.0
+- Claude Code auth management from Telegram: `/auth_status`, `/login`, `/setup_token`, `/use_oauth_token`, and `/clear_oauth_token`
+- Claude subprocesses now receive `CLAUDE_CODE_OAUTH_TOKEN` from config/env/vault when available, avoiding launchd/macOS Keychain auth failures
+- Sensitive Claude tokens are redacted from Telegram output and logs
+- Package lock metadata corrected to match `@inetafrica/open-claudia`
+
 ## v1.12.0
 - Cursor Agent tool progress: Shell, Read, Edit, Write, Grep, Glob calls now show in real-time Telegram updates
 - Plan output surfaced to Telegram: when Cursor creates a plan (`--mode plan`), the full plan markdown and task list are sent to the user

package/README.md

@@ -55,7 +55,7 @@ agent login               # Opens browser to authenticate
 agent status              # Verify: should show your email and plan
 ```
 
-> **Important**: Both CLIs store authentication locally on the machine. Open Claudia doesn't handle auth itself — it shells out to whichever CLI you've authenticated. If you see auth errors in Telegram, SSH into the machine and re-authenticate the relevant CLI.
+> **Important**: Claude Code can use macOS Keychain when you log in interactively, but a launchd/background bot may not be able to read that Keychain session. Open Claudia v1.14.0 adds Telegram auth helpers and supports `CLAUDE_CODE_OAUTH_TOKEN` for non-interactive Claude runs. Prefer `/setup_token` then `/use_oauth_token` if Telegram shows Claude auth/keychain errors.
 
 ### 2. Install Open Claudia
 
@@ -141,6 +141,20 @@ When you select a project, the last conversation is automatically resumed. Tap "
 | `/vault` | Manage encrypted credentials (password required) |
 | `/soul` | View/edit assistant identity and personality |
 
+### Claude Code Auth
+
+| Command | Description |
+|---------|-------------|
+| `/auth_status` | Runs `claude auth status` and reports redacted status plus whether the bot has an OAuth token configured |
+| `/login` | Starts `claude auth login --claudeai --email sumeet@inet.africa`, sends the login URL/code, and accepts paste-back codes |
+| `/setup_token` | Starts `claude setup-token`; if Claude prints an OAuth token, Open Claudia stores it without echoing it |
+| `/use_oauth_token <token>` | Stores `CLAUDE_CODE_OAUTH_TOKEN` in config for launchd/non-interactive Claude runs; the Telegram message is deleted when possible |
+| `/use_oauth_token` | Secure pending mode: send the token as the next message and it will be deleted/stored without echo |
+| `/clear_oauth_token` | Removes the stored OAuth token from config/process, and from vault if it is unlocked |
+
+Tokens are redacted from Telegram output and logs. If the encrypted vault is unlocked, `/use_oauth_token` also mirrors the token into the vault, but `.env` storage is what lets launchd pass `CLAUDE_CODE_OAUTH_TOKEN` to Claude without relying on macOS Keychain.
+
+
 ### System
 
 | Command | Description |

package/bot-agent.js

@@ -190,6 +190,9 @@ bot.setMyCommands([
   { command: "cursor", description: "Switch to Cursor Agent backend" },
   { command: "claude", description: "Switch to Claude Code backend" },
   { command: "backend", description: "Show/switch active backend" },
+  { command: "auth_status", description: "Check Claude Code auth" },
+  { command: "login", description: "Start Claude Code login" },
+  { command: "setup_token", description: "Create Claude OAuth token" },
   { command: "stop", description: "Cancel running task" },
   { command: "end", description: "End current session" },
   { command: "version", description: "Show current version" },
@@ -298,7 +301,10 @@ let messageQueue = [];            // Fallback queue (only used if chat process a
 let activeCrons = new Map();
 let pendingVaultUnlock = false;
 let pendingVaultAction = null;
+let pendingClaudeAuthProcess = null;
+let pendingClaudeAuthLabel = null;
 let isFirstMessage = !lastSessionId;
+let lastInputWasVoice = false;
 
 let settings = savedState.settings || {
   model: null, effort: null, budget: null, permissionMode: null, worktree: false, backend: "claude",
@@ -661,11 +667,245 @@ function transcribeAudio(oggPath) {
     .join(" ").trim();
 }
 
+// ── Text-to-Speech ────────────────────────────────────────────────
+
+const TTS_CMD = process.platform === "darwin" ? "say" : null;
+
+function textToVoice(text) {
+  if (!TTS_CMD || !FFMPEG) return null;
+  try {
+    const clean = text.replace(/[*_`#>\[\]()]/g, "").replace(/\n{2,}/g, ". ").replace(/\n/g, " ").trim();
+    if (!clean) return null;
+    const aiffPath = path.join(TEMP_DIR, `tts-${Date.now()}.aiff`);
+    const oggPath = aiffPath.replace(".aiff", ".ogg");
+    execSync(`${TTS_CMD} ${JSON.stringify(clean)} -o "${aiffPath}"`, { timeout: 30000 });
+    execSync(`"${FFMPEG}" -i "${aiffPath}" -c:a libopus -y "${oggPath}" 2>/dev/null`, { timeout: 30000 });
+    try { fs.unlinkSync(aiffPath); } catch (e) {}
+    return oggPath;
+  } catch (e) {
+    console.error("TTS error:", e.message);
+    return null;
+  }
+}
+
+async function sendVoice(oggPath) {
+  try {
+    await bot.sendVoice(CHAT_ID, oggPath);
+    try { fs.unlinkSync(oggPath); } catch (e) {}
+    return true;
+  } catch (e) {
+    console.error("Send voice error:", e.message);
+    try { fs.unlinkSync(oggPath); } catch (e2) {}
+    return false;
+  }
+}
+
 // Delete a message (used for vault password cleanup)
 async function deleteMessage(msgId) {
   try { await bot.deleteMessage(CHAT_ID, msgId); } catch (e) { /* ignore */ }
 }
 
+
+// ── Claude Auth Helpers ─────────────────────────────────────────────
+
+const CLAUDE_OAUTH_TOKEN_KEY = "CLAUDE_CODE_OAUTH_TOKEN";
+const CLAUDE_OAUTH_VAULT_KEY = "claude_oauth_token";
+
+function redactSensitive(value) {
+  return String(value || "")
+    .replace(/sk-ant-[A-Za-z0-9._-]+/g, "[REDACTED_TOKEN]")
+    .replace(/(Bearer\s+)[A-Za-z0-9._=-]+/gi, "$1[REDACTED_TOKEN]")
+    .replace(/(CLAUDE_CODE_OAUTH_TOKEN\s*=\s*)\S+/gi, "$1[REDACTED_TOKEN]")
+    .replace(/([?&](?:token|access_token|refresh_token)=)[^\s&]+/gi, "$1[REDACTED]");
+}
+
+function looksLikeClaudeToken(value) {
+  const text = String(value || "").trim();
+  return /^sk-ant-[A-Za-z0-9._-]+$/.test(text) || text.length >= 80 && /^[A-Za-z0-9._=-]+$/.test(text);
+}
+
+function getClaudeOAuthToken() {
+  if (config[CLAUDE_OAUTH_TOKEN_KEY]) return { value: config[CLAUDE_OAUTH_TOKEN_KEY], source: ".env" };
+  if (process.env.CLAUDE_CODE_OAUTH_TOKEN) return { value: process.env.CLAUDE_CODE_OAUTH_TOKEN, source: "process env" };
+  if (vault.isUnlocked()) {
+    const value = vault.get(CLAUDE_OAUTH_VAULT_KEY) || vault.get(CLAUDE_OAUTH_TOKEN_KEY);
+    if (value) return { value, source: "vault" };
+  }
+  return { value: null, source: null };
+}
+
+function claudeSubprocessEnv() {
+  const env = { ...process.env, PATH: FULL_PATH, HOME: process.env.HOME };
+  const token = getClaudeOAuthToken().value;
+  if (token) env.CLAUDE_CODE_OAUTH_TOKEN = token;
+  return env;
+}
+
+function saveClaudeOAuthToken(token) {
+  const clean = String(token || "").trim();
+  if (!clean) return false;
+  saveEnvKey(CLAUDE_OAUTH_TOKEN_KEY, clean);
+  config[CLAUDE_OAUTH_TOKEN_KEY] = clean;
+  process.env.CLAUDE_CODE_OAUTH_TOKEN = clean;
+  if (vault.isUnlocked()) vault.set(CLAUDE_OAUTH_VAULT_KEY, clean);
+  return true;
+}
+
+function clearClaudeOAuthToken() {
+  saveEnvKey(CLAUDE_OAUTH_TOKEN_KEY, "");
+  config[CLAUDE_OAUTH_TOKEN_KEY] = "";
+  delete process.env.CLAUDE_CODE_OAUTH_TOKEN;
+  if (vault.isUnlocked()) {
+    vault.remove(CLAUDE_OAUTH_VAULT_KEY);
+    vault.remove(CLAUDE_OAUTH_TOKEN_KEY);
+  }
+}
+
+function extractClaudeToken(text) {
+  const match = String(text || "").match(/sk-ant-[A-Za-z0-9._-]+/);
+  return match ? match[0] : null;
+}
+
+function extractUrls(text) {
+  return [...String(text || "").matchAll(/https?:\/\/[^\s)]+/g)].map((m) => m[0]);
+}
+
+
+function isClaudeAuthErrorText(text) {
+  const lower = String(text || "").toLowerCase();
+  return lower.includes("unauthorized") ||
+    lower.includes("not logged in") ||
+    lower.includes("login required") ||
+    lower.includes("reauthenticate") ||
+    lower.includes("re-authenticate") ||
+    lower.includes("authentication failed") ||
+    lower.includes("auth failed") ||
+    lower.includes("invalid api key") ||
+    lower.includes("api key") && lower.includes("invalid") ||
+    lower.includes("keychain") && (lower.includes("unlock") || lower.includes("could not") || lower.includes("failed")) ||
+    lower.includes("security unlock-keychain");
+}
+
+function claudeAuthRecoveryMessage(reason = "Claude Code authentication failed") {
+  const tokenInfo = getClaudeOAuthToken();
+  const tokenLine = tokenInfo.value
+    ? `Stored OAuth token: yes (${tokenInfo.source})`
+    : "Stored OAuth token: no";
+  return [
+    `Claude auth needs attention: ${redactSensitive(reason)}`,
+    "",
+    tokenLine,
+    "",
+    "Try one of these from Telegram:",
+    "1. /auth_status — check what Claude sees",
+    "2. /setup_token — create a long-lived Claude Code token, then store it",
+    "3. /use_oauth_token — paste the token securely if you already generated one",
+    "4. /login — interactive Claude.ai browser login fallback",
+    "",
+    "If this is a macOS Keychain problem after SSH/reboot, run on the Mac:",
+    "security unlock-keychain",
+    "",
+    "Recommended for this bot: /setup_token + /use_oauth_token so launchd does not depend on Keychain."
+  ].join("\n");
+}
+
+function preflightClaudeAuthMessage() {
+  if (settings.backend === "cursor") return null;
+  if (getClaudeOAuthToken().value) return null;
+  try {
+    const output = execSync(`"${CLAUDE_PATH}" auth status`, {
+      cwd: process.env.HOME || require("os").homedir(),
+      env: claudeSubprocessEnv(),
+      encoding: "utf8",
+      timeout: 10000,
+      stdio: ["ignore", "pipe", "pipe"],
+    });
+    if (isClaudeAuthErrorText(output)) return claudeAuthRecoveryMessage(output.trim().slice(-500));
+    return null;
+  } catch (e) {
+    const output = `${e.stdout || ""}\n${e.stderr || ""}\n${e.message || ""}`;
+    if (isClaudeAuthErrorText(output)) return claudeAuthRecoveryMessage(output.trim().slice(-500));
+    return null;
+  }
+}
+
+
+function summarizeClaudeAuthStatus(output, exitCode, tokenInfo) {
+  const text = String(output || "");
+  const lower = text.toLowerCase();
+  const loggedOut = /not (logged in|authenticated)|unauthenticated|no auth|login required/.test(lower);
+  const loggedIn = !loggedOut && (exitCode === 0 || /logged in|authenticated|claude\.ai|anthropic/.test(lower));
+  const email = (text.match(/[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}/i) || [null])[0];
+  const provider = /claude\.ai|claudeai/.test(lower) ? "Claude.ai" : (/anthropic/.test(lower) ? "Anthropic" : "unknown");
+  let method = tokenInfo.value ? `OAuth token (${tokenInfo.source})` : "unknown";
+  if (/api key|apikey/.test(lower)) method = "API key";
+  else if (/oauth|claude\.ai|claudeai/.test(lower)) method = tokenInfo.value ? `OAuth token (${tokenInfo.source})` : "OAuth/Claude.ai";
+  return [
+    `Logged in: ${loggedIn ? "yes" : (loggedOut ? "no" : "unknown")}`,
+    `Auth method: ${method}`,
+    `Email: ${email || "unknown"}`,
+    `Provider: ${provider}`,
+  ];
+}
+
+async function runClaudeAuthCommand(args, label, opts = {}) {
+  if (pendingClaudeAuthProcess) {
+    await send(`Another Claude auth flow is already running (${pendingClaudeAuthLabel}). Send the requested code/token or wait for it to finish.`);
+    return;
+  }
+  await send(`${label} started...`);
+  const proc = spawn(CLAUDE_PATH, args, {
+    cwd: process.env.HOME || require("os").homedir(),
+    env: claudeSubprocessEnv(),
+    stdio: ["pipe", "pipe", "pipe"],
+  });
+  pendingClaudeAuthProcess = proc;
+  pendingClaudeAuthLabel = label;
+  let output = "";
+  let sentUrls = new Set();
+  let tokenStored = false;
+  let lastSnippetAt = 0;
+
+  const handleChunk = async (chunk) => {
+    output += chunk;
+    const token = opts.captureToken ? extractClaudeToken(chunk) || extractClaudeToken(output) : null;
+    if (token && !tokenStored) {
+      tokenStored = saveClaudeOAuthToken(token);
+      await send(tokenStored ? "Claude OAuth token captured and stored. I did not print it." : "Claude OAuth token appeared, but I could not store it.");
+    }
+    for (const url of extractUrls(chunk)) {
+      if (!sentUrls.has(url)) {
+        sentUrls.add(url);
+        await send(`${label} URL:\n${redactSensitive(url)}\n\nOpen it, complete the flow, then paste any code Claude asks for here.`);
+      }
+    }
+    const redacted = redactSensitive(chunk).trim();
+    const now = Date.now();
+    if (redacted && now - lastSnippetAt > 3000 && !looksLikeClaudeToken(redacted)) {
+      lastSnippetAt = now;
+      await send(redacted.length > 1200 ? redacted.slice(-1200) : redacted);
+    }
+  };
+
+  proc.stdout.on("data", (d) => handleChunk(d.toString()).catch((e) => console.error("Auth output error:", e.message)));
+  proc.stderr.on("data", (d) => handleChunk(d.toString()).catch((e) => console.error("Auth stderr error:", e.message)));
+  proc.on("close", async (code) => {
+    pendingClaudeAuthProcess = null;
+    pendingClaudeAuthLabel = null;
+    const token = opts.captureToken ? extractClaudeToken(output) : null;
+    if (token && !tokenStored) tokenStored = saveClaudeOAuthToken(token);
+    const final = redactSensitive(output.trim());
+    if (tokenStored) await send(`${label} finished. OAuth token stored for launchd/non-interactive Claude runs.`);
+    else if (final) await send(`${label} finished (exit ${code}).\n\n${final.slice(-2500)}`);
+    else await send(`${label} finished (exit ${code}).`);
+  });
+  proc.on("error", async (err) => {
+    pendingClaudeAuthProcess = null;
+    pendingClaudeAuthLabel = null;
+    await send(`${label} failed: ${redactSensitive(err.message)}`);
+  });
+}
+
 // ── Claude Runner ───────────────────────────────────────────────────
 
 function parseStreamEvents(data) {
@@ -734,7 +974,7 @@ async function runClaudeChat(prompt, cwd, replyToMsgId) {
 
   const proc = spawn(CLAUDE_PATH, args, {
     cwd,
-    env: { ...process.env, PATH: FULL_PATH, HOME: process.env.HOME },
+    env: claudeSubprocessEnv(),
     stdio: ["ignore", "pipe", "pipe"],
   });
 
@@ -779,6 +1019,12 @@ async function runClaude(prompt, cwd, replyToMsgId, opts = {}) {
     return;
   }
 
+  const authPreflight = preflightClaudeAuthMessage();
+  if (authPreflight) {
+    await send(authPreflight, { replyTo: replyToMsgId });
+    return;
+  }
+
   bot.sendChatAction(CHAT_ID, "typing");
   statusMessageId = null;
   streamBuffer = "";
@@ -791,7 +1037,7 @@ async function runClaude(prompt, cwd, replyToMsgId, opts = {}) {
   const binaryPath = getActiveBinary();
   const proc = spawn(binaryPath, args, {
     cwd,
-    env: { ...process.env, PATH: FULL_PATH, HOME: process.env.HOME },
+    env: claudeSubprocessEnv(),
     stdio: ["ignore", "pipe", "pipe"],
     detached: process.platform !== "win32", // Create process group so /stop kills children too
   });
@@ -907,13 +1153,26 @@ async function runClaude(prompt, cwd, replyToMsgId, opts = {}) {
     }
   });
 
-  proc.stderr.on("data", (d) => console.error("STDERR:", d.toString()));
+  let stderrBuffer = "";
+  proc.stderr.on("data", (d) => {
+    const chunk = d.toString();
+    stderrBuffer += chunk;
+    console.error("STDERR:", redactSensitive(chunk));
+  });
 
   proc.on("close", async (code) => {
     runningProcess = null; runningProcessPrompt = null;
     clearTimeout(streamInterval); streamInterval = null;
+    if (settings.backend !== "cursor" && isClaudeAuthErrorText(stderrBuffer)) {
+      await send(claudeAuthRecoveryMessage(stderrBuffer.trim().slice(-800)), { replyTo: replyToMsgId });
+      return;
+    }
+    if (settings.backend === "cursor" && isClaudeAuthErrorText(stderrBuffer)) {
+      await send("Cursor authentication error. Run `agent login` on this machine, then retry.", { replyTo: replyToMsgId });
+      return;
+    }
     try {
-      const finalText = assistantText || "(no output)";
+      const finalText = redactSensitive(assistantText || "(no output)");
       const chunks = splitMessage(finalText);
       const firstChunk = chunks[0];
 
@@ -927,6 +1186,13 @@ async function runClaude(prompt, cwd, replyToMsgId, opts = {}) {
         }
       }
       if (code !== 0 && code !== null) await send(`Exit code: ${code}`);
+
+      // Send voice reply if input was a voice note
+      if (lastInputWasVoice && TTS_CMD) {
+        lastInputWasVoice = false;
+        const voicePath = textToVoice(finalText);
+        if (voicePath) await sendVoice(voicePath);
+      }
     } catch (e) {
       console.error("Final message delivery failed:", e.message);
       await send("Task completed but failed to deliver the response. Send /continue to see the result.");
@@ -958,13 +1224,13 @@ async function runClaudeSilent(prompt, cwd, label) {
       "--append-system-prompt", buildSystemPrompt(),
       "--dangerously-skip-permissions", prompt];
     const proc = spawn(CLAUDE_PATH, args, {
-      cwd, env: { ...process.env, PATH: FULL_PATH, HOME: process.env.HOME },
+      cwd, env: claudeSubprocessEnv(),
       stdio: ["ignore", "pipe", "pipe"],
     });
     let output = "";
     proc.stdout.on("data", (d) => { output += d.toString(); });
     proc.on("close", async () => {
-      const chunks = splitMessage(`Cron: ${label}\n\n${output.trim() || "(no output)"}`);
+      const chunks = splitMessage(`Cron: ${label}\n\n${redactSensitive(output.trim() || "(no output)")}`);
       for (const c of chunks) await send(c);
       resolve();
     });
@@ -1064,6 +1330,7 @@ bot.onText(/\/help/, (msg) => {
     "Session: /session /sessions /projects /continue /status /stop /end",
     "Settings: /model /effort /budget /plan /compact /worktree /mode",
     "Automation: /cron /vault /soul",
+    "Claude auth: /auth_status /login /setup_token /use_oauth_token /clear_oauth_token",
     "System: /restart /upgrade",
     "",
     "Send text, voice, photos, or files.",
@@ -1312,6 +1579,64 @@ bot.onText(/\/soul$/, async (msg) => {
   await send(`Edit: ${SOUL_FILE}\nOr tell me what to change and I'll update it.`);
 });
 
+// ── Claude Auth Commands ────────────────────────────────────────────
+
+bot.onText(/\/(?:auth_status|auth status)$/, async (msg) => {
+  if (!isAuthorized(msg)) return;
+  const tokenInfo = getClaudeOAuthToken();
+  const proc = spawn(CLAUDE_PATH, ["auth", "status"], {
+    cwd: process.env.HOME || require("os").homedir(),
+    env: claudeSubprocessEnv(),
+    stdio: ["ignore", "pipe", "pipe"],
+  });
+  let output = "";
+  proc.stdout.on("data", (d) => { output += d.toString(); });
+  proc.stderr.on("data", (d) => { output += d.toString(); });
+  proc.on("close", async (code) => {
+    const clean = redactSensitive(output.trim()) || "(no output)";
+    await send([
+      `Claude auth status: exit ${code}`,
+      ...summarizeClaudeAuthStatus(output, code, tokenInfo),
+      `Bot OAuth token: ${tokenInfo.value ? "configured via " + tokenInfo.source : "not configured"}`,
+      `Vault: ${vault.isUnlocked() ? "unlocked" : "locked"}`,
+      "",
+      clean.slice(-2500),
+    ].join("\n"));
+  });
+  proc.on("error", async (err) => send(`Claude auth status failed: ${redactSensitive(err.message)}`));
+});
+
+bot.onText(/\/login$/, async (msg) => {
+  if (!isAuthorized(msg)) return;
+  await runClaudeAuthCommand(["auth", "login", "--claudeai", "--email", "sumeet@inet.africa"], "Claude login");
+});
+
+bot.onText(/\/setup_token$/, async (msg) => {
+  if (!isAuthorized(msg)) return;
+  await runClaudeAuthCommand(["setup-token"], "Claude setup-token", { captureToken: true });
+});
+
+bot.onText(/\/use_oauth_token(?:\s+(.+))?$/, async (msg, match) => {
+  if (!isAuthorized(msg)) return;
+  const token = (match[1] || "").trim();
+  await deleteMessage(msg.message_id);
+  if (!token) {
+    pendingClaudeAuthProcess = { stdin: { write: (value) => saveClaudeOAuthToken(value.trim()) } };
+    pendingClaudeAuthLabel = "manual OAuth token save";
+    await send("Send the Claude OAuth token in your next message. I'll delete it and store it without echoing it.");
+    return;
+  }
+  if (!looksLikeClaudeToken(token)) return send("That doesn't look like a Claude OAuth token. Not saved.");
+  saveClaudeOAuthToken(token);
+  await send(`Claude OAuth token stored in .env${vault.isUnlocked() ? " and vault" : ""}. Restart the bot so launchd picks it up, or use /restart.`);
+});
+
+bot.onText(/\/clear_oauth_token$/, async (msg) => {
+  if (!isAuthorized(msg)) return;
+  clearClaudeOAuthToken();
+  await send("Claude OAuth token cleared from .env/process" + (vault.isUnlocked() ? " and vault." : ". Unlock vault and run again if you also stored it there."));
+});
+
 // ── /vault with password protection ─────────────────────────────────
 
 bot.onText(/\/vault$/, async (msg) => {
@@ -1481,6 +1806,7 @@ bot.on("voice", async (msg) => {
     try { fs.unlinkSync(oggPath); } catch (e) {}
     if (!transcript) return send("Couldn't transcribe. Try typing it.");
     await send(`Heard: "${transcript}"`, { replyTo: msg.message_id });
+    lastInputWasVoice = true;
     await runClaude(transcript, currentSession.dir, msg.message_id);
   } catch (err) { await send(`Voice failed: ${err.message}`); }
 });
@@ -1547,6 +1873,29 @@ bot.on("message", async (msg) => {
   if (msg.voice || msg.audio || msg.photo || msg.document || msg.video || msg.sticker) return;
   if (isDuplicate(msg.message_id)) return;
 
+  // Handle pending Claude auth/token paste-back
+  if (pendingClaudeAuthProcess) {
+    const text = msg.text.trim();
+    await deleteMessage(msg.message_id);
+    if (pendingClaudeAuthLabel === "manual OAuth token save") {
+      pendingClaudeAuthProcess = null;
+      pendingClaudeAuthLabel = null;
+      if (!looksLikeClaudeToken(text)) { await send("That doesn't look like a Claude OAuth token. Not saved."); return; }
+      saveClaudeOAuthToken(text);
+      await send(`Claude OAuth token stored in .env${vault.isUnlocked() ? " and vault" : ""}. Restart the bot so launchd picks it up, or use /restart.`);
+      return;
+    }
+    try {
+      pendingClaudeAuthProcess.stdin.write(text + "\n");
+      await send("Sent to Claude auth process.");
+    } catch (e) {
+      pendingClaudeAuthProcess = null;
+      pendingClaudeAuthLabel = null;
+      await send(`Could not send to Claude auth process: ${redactSensitive(e.message)}`);
+    }
+    return;
+  }
+
   // Handle onboarding
   if (!isOnboarded() && onboardingStep) {
     await handleOnboarding(msg);

package/bot.js

@@ -248,6 +248,9 @@ bot.setMyCommands([
   { command: "cursor", description: "Switch to Cursor Agent backend" },
   { command: "claude", description: "Switch to Claude Code backend" },
   { command: "backend", description: "Show/switch active backend" },
+  { command: "auth_status", description: "Check Claude Code auth" },
+  { command: "login", description: "Start Claude Code login" },
+  { command: "setup_token", description: "Create Claude OAuth token" },
   { command: "stop", description: "Cancel running task" },
   { command: "end", description: "End current session" },
   { command: "version", description: "Show current version" },
@@ -359,7 +362,10 @@ let messageQueue = [];
 let activeCrons = new Map();
 let pendingVaultUnlock = false; // Waiting for password
 let pendingVaultAction = null;  // What to do after unlock
+let pendingClaudeAuthProcess = null;
+let pendingClaudeAuthLabel = null;
 let isFirstMessage = !lastSessionId; // Track if this is first message in session
+let lastInputWasVoice = false; // Reply with voice when input was voice
 
 let settings = savedState.settings || {
   model: null, effort: null, budget: null, permissionMode: null, worktree: false, backend: "claude",
@@ -722,11 +728,246 @@ function transcribeAudio(oggPath) {
     .join(" ").trim();
 }
 
+// ── Text-to-Speech ────────────────────────────────────────────────
+
+const TTS_CMD = process.platform === "darwin" ? "say" : null;
+
+function textToVoice(text) {
+  if (!TTS_CMD || !FFMPEG) return null;
+  try {
+    // Strip markdown formatting for cleaner speech
+    const clean = text.replace(/[*_`#>\[\]()]/g, "").replace(/\n{2,}/g, ". ").replace(/\n/g, " ").trim();
+    if (!clean) return null;
+    const aiffPath = path.join(TEMP_DIR, `tts-${Date.now()}.aiff`);
+    const oggPath = aiffPath.replace(".aiff", ".ogg");
+    execSync(`${TTS_CMD} ${JSON.stringify(clean)} -o "${aiffPath}"`, { timeout: 30000 });
+    execSync(`"${FFMPEG}" -i "${aiffPath}" -c:a libopus -y "${oggPath}" 2>/dev/null`, { timeout: 30000 });
+    try { fs.unlinkSync(aiffPath); } catch (e) {}
+    return oggPath;
+  } catch (e) {
+    console.error("TTS error:", e.message);
+    return null;
+  }
+}
+
+async function sendVoice(oggPath) {
+  try {
+    await bot.sendVoice(CHAT_ID, oggPath);
+    try { fs.unlinkSync(oggPath); } catch (e) {}
+    return true;
+  } catch (e) {
+    console.error("Send voice error:", e.message);
+    try { fs.unlinkSync(oggPath); } catch (e2) {}
+    return false;
+  }
+}
+
 // Delete a message (used for vault password cleanup)
 async function deleteMessage(msgId) {
   try { await bot.deleteMessage(CHAT_ID, msgId); } catch (e) { /* ignore */ }
 }
 
+
+// ── Claude Auth Helpers ─────────────────────────────────────────────
+
+const CLAUDE_OAUTH_TOKEN_KEY = "CLAUDE_CODE_OAUTH_TOKEN";
+const CLAUDE_OAUTH_VAULT_KEY = "claude_oauth_token";
+
+function redactSensitive(value) {
+  return String(value || "")
+    .replace(/sk-ant-[A-Za-z0-9._-]+/g, "[REDACTED_TOKEN]")
+    .replace(/(Bearer\s+)[A-Za-z0-9._=-]+/gi, "$1[REDACTED_TOKEN]")
+    .replace(/(CLAUDE_CODE_OAUTH_TOKEN\s*=\s*)\S+/gi, "$1[REDACTED_TOKEN]")
+    .replace(/([?&](?:token|access_token|refresh_token)=)[^\s&]+/gi, "$1[REDACTED]");
+}
+
+function looksLikeClaudeToken(value) {
+  const text = String(value || "").trim();
+  return /^sk-ant-[A-Za-z0-9._-]+$/.test(text) || text.length >= 80 && /^[A-Za-z0-9._=-]+$/.test(text);
+}
+
+function getClaudeOAuthToken() {
+  if (config[CLAUDE_OAUTH_TOKEN_KEY]) return { value: config[CLAUDE_OAUTH_TOKEN_KEY], source: ".env" };
+  if (process.env.CLAUDE_CODE_OAUTH_TOKEN) return { value: process.env.CLAUDE_CODE_OAUTH_TOKEN, source: "process env" };
+  if (vault.isUnlocked()) {
+    const value = vault.get(CLAUDE_OAUTH_VAULT_KEY) || vault.get(CLAUDE_OAUTH_TOKEN_KEY);
+    if (value) return { value, source: "vault" };
+  }
+  return { value: null, source: null };
+}
+
+function claudeSubprocessEnv() {
+  const env = { ...process.env, PATH: FULL_PATH, HOME: process.env.HOME };
+  const token = getClaudeOAuthToken().value;
+  if (token) env.CLAUDE_CODE_OAUTH_TOKEN = token;
+  return env;
+}
+
+function saveClaudeOAuthToken(token) {
+  const clean = String(token || "").trim();
+  if (!clean) return false;
+  saveEnvKey(CLAUDE_OAUTH_TOKEN_KEY, clean);
+  config[CLAUDE_OAUTH_TOKEN_KEY] = clean;
+  process.env.CLAUDE_CODE_OAUTH_TOKEN = clean;
+  if (vault.isUnlocked()) vault.set(CLAUDE_OAUTH_VAULT_KEY, clean);
+  return true;
+}
+
+function clearClaudeOAuthToken() {
+  saveEnvKey(CLAUDE_OAUTH_TOKEN_KEY, "");
+  config[CLAUDE_OAUTH_TOKEN_KEY] = "";
+  delete process.env.CLAUDE_CODE_OAUTH_TOKEN;
+  if (vault.isUnlocked()) {
+    vault.remove(CLAUDE_OAUTH_VAULT_KEY);
+    vault.remove(CLAUDE_OAUTH_TOKEN_KEY);
+  }
+}
+
+function extractClaudeToken(text) {
+  const match = String(text || "").match(/sk-ant-[A-Za-z0-9._-]+/);
+  return match ? match[0] : null;
+}
+
+function extractUrls(text) {
+  return [...String(text || "").matchAll(/https?:\/\/[^\s)]+/g)].map((m) => m[0]);
+}
+
+
+function isClaudeAuthErrorText(text) {
+  const lower = String(text || "").toLowerCase();
+  return lower.includes("unauthorized") ||
+    lower.includes("not logged in") ||
+    lower.includes("login required") ||
+    lower.includes("reauthenticate") ||
+    lower.includes("re-authenticate") ||
+    lower.includes("authentication failed") ||
+    lower.includes("auth failed") ||
+    lower.includes("invalid api key") ||
+    lower.includes("api key") && lower.includes("invalid") ||
+    lower.includes("keychain") && (lower.includes("unlock") || lower.includes("could not") || lower.includes("failed")) ||
+    lower.includes("security unlock-keychain");
+}
+
+function claudeAuthRecoveryMessage(reason = "Claude Code authentication failed") {
+  const tokenInfo = getClaudeOAuthToken();
+  const tokenLine = tokenInfo.value
+    ? `Stored OAuth token: yes (${tokenInfo.source})`
+    : "Stored OAuth token: no";
+  return [
+    `Claude auth needs attention: ${redactSensitive(reason)}`,
+    "",
+    tokenLine,
+    "",
+    "Try one of these from Telegram:",
+    "1. /auth_status — check what Claude sees",
+    "2. /setup_token — create a long-lived Claude Code token, then store it",
+    "3. /use_oauth_token — paste the token securely if you already generated one",
+    "4. /login — interactive Claude.ai browser login fallback",
+    "",
+    "If this is a macOS Keychain problem after SSH/reboot, run on the Mac:",
+    "security unlock-keychain",
+    "",
+    "Recommended for this bot: /setup_token + /use_oauth_token so launchd does not depend on Keychain."
+  ].join("\n");
+}
+
+function preflightClaudeAuthMessage() {
+  if (settings.backend === "cursor") return null;
+  if (getClaudeOAuthToken().value) return null;
+  try {
+    const output = execSync(`"${CLAUDE_PATH}" auth status`, {
+      cwd: process.env.HOME || require("os").homedir(),
+      env: claudeSubprocessEnv(),
+      encoding: "utf8",
+      timeout: 10000,
+      stdio: ["ignore", "pipe", "pipe"],
+    });
+    if (isClaudeAuthErrorText(output)) return claudeAuthRecoveryMessage(output.trim().slice(-500));
+    return null;
+  } catch (e) {
+    const output = `${e.stdout || ""}\n${e.stderr || ""}\n${e.message || ""}`;
+    if (isClaudeAuthErrorText(output)) return claudeAuthRecoveryMessage(output.trim().slice(-500));
+    return null;
+  }
+}
+
+
+function summarizeClaudeAuthStatus(output, exitCode, tokenInfo) {
+  const text = String(output || "");
+  const lower = text.toLowerCase();
+  const loggedOut = /not (logged in|authenticated)|unauthenticated|no auth|login required/.test(lower);
+  const loggedIn = !loggedOut && (exitCode === 0 || /logged in|authenticated|claude\.ai|anthropic/.test(lower));
+  const email = (text.match(/[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}/i) || [null])[0];
+  const provider = /claude\.ai|claudeai/.test(lower) ? "Claude.ai" : (/anthropic/.test(lower) ? "Anthropic" : "unknown");
+  let method = tokenInfo.value ? `OAuth token (${tokenInfo.source})` : "unknown";
+  if (/api key|apikey/.test(lower)) method = "API key";
+  else if (/oauth|claude\.ai|claudeai/.test(lower)) method = tokenInfo.value ? `OAuth token (${tokenInfo.source})` : "OAuth/Claude.ai";
+  return [
+    `Logged in: ${loggedIn ? "yes" : (loggedOut ? "no" : "unknown")}`,
+    `Auth method: ${method}`,
+    `Email: ${email || "unknown"}`,
+    `Provider: ${provider}`,
+  ];
+}
+
+async function runClaudeAuthCommand(args, label, opts = {}) {
+  if (pendingClaudeAuthProcess) {
+    await send(`Another Claude auth flow is already running (${pendingClaudeAuthLabel}). Send the requested code/token or wait for it to finish.`);
+    return;
+  }
+  await send(`${label} started...`);
+  const proc = spawn(CLAUDE_PATH, args, {
+    cwd: process.env.HOME || require("os").homedir(),
+    env: claudeSubprocessEnv(),
+    stdio: ["pipe", "pipe", "pipe"],
+  });
+  pendingClaudeAuthProcess = proc;
+  pendingClaudeAuthLabel = label;
+  let output = "";
+  let sentUrls = new Set();
+  let tokenStored = false;
+  let lastSnippetAt = 0;
+
+  const handleChunk = async (chunk) => {
+    output += chunk;
+    const token = opts.captureToken ? extractClaudeToken(chunk) || extractClaudeToken(output) : null;
+    if (token && !tokenStored) {
+      tokenStored = saveClaudeOAuthToken(token);
+      await send(tokenStored ? "Claude OAuth token captured and stored. I did not print it." : "Claude OAuth token appeared, but I could not store it.");
+    }
+    for (const url of extractUrls(chunk)) {
+      if (!sentUrls.has(url)) {
+        sentUrls.add(url);
+        await send(`${label} URL:\n${redactSensitive(url)}\n\nOpen it, complete the flow, then paste any code Claude asks for here.`);
+      }
+    }
+    const redacted = redactSensitive(chunk).trim();
+    const now = Date.now();
+    if (redacted && now - lastSnippetAt > 3000 && !looksLikeClaudeToken(redacted)) {
+      lastSnippetAt = now;
+      await send(redacted.length > 1200 ? redacted.slice(-1200) : redacted);
+    }
+  };
+
+  proc.stdout.on("data", (d) => handleChunk(d.toString()).catch((e) => console.error("Auth output error:", e.message)));
+  proc.stderr.on("data", (d) => handleChunk(d.toString()).catch((e) => console.error("Auth stderr error:", e.message)));
+  proc.on("close", async (code) => {
+    pendingClaudeAuthProcess = null;
+    pendingClaudeAuthLabel = null;
+    const token = opts.captureToken ? extractClaudeToken(output) : null;
+    if (token && !tokenStored) tokenStored = saveClaudeOAuthToken(token);
+    const final = redactSensitive(output.trim());
+    if (tokenStored) await send(`${label} finished. OAuth token stored for launchd/non-interactive Claude runs.`);
+    else if (final) await send(`${label} finished (exit ${code}).\n\n${final.slice(-2500)}`);
+    else await send(`${label} finished (exit ${code}).`);
+  });
+  proc.on("error", async (err) => {
+    pendingClaudeAuthProcess = null;
+    pendingClaudeAuthLabel = null;
+    await send(`${label} failed: ${redactSensitive(err.message)}`);
+  });
+}
+
 // ── Claude Runner ───────────────────────────────────────────────────
 
 function parseStreamEvents(data) {
@@ -781,6 +1022,12 @@ async function runClaude(prompt, cwd, replyToMsgId, opts = {}) {
     return;
   }
 
+  const authPreflight = preflightClaudeAuthMessage();
+  if (authPreflight) {
+    await send(authPreflight, { replyTo: replyToMsgId });
+    return;
+  }
+
   bot.sendChatAction(CHAT_ID, "typing");
   statusMessageId = null;
   streamBuffer = "";
@@ -793,7 +1040,7 @@ async function runClaude(prompt, cwd, replyToMsgId, opts = {}) {
   const binaryPath = getActiveBinary();
   const proc = spawn(binaryPath, args, {
     cwd,
-    env: { ...process.env, PATH: FULL_PATH, HOME: process.env.HOME },
+    env: claudeSubprocessEnv(),
     stdio: ["ignore", "pipe", "pipe"],
     detached: process.platform !== "win32",
   });
@@ -927,7 +1174,7 @@ async function runClaude(prompt, cwd, replyToMsgId, opts = {}) {
   proc.stderr.on("data", (d) => {
     const chunk = d.toString();
     stderrBuffer += chunk;
-    console.error("STDERR:", chunk);
+    console.error("STDERR:", redactSensitive(chunk));
   });
 
   proc.on("close", async (code) => {
@@ -935,17 +1182,18 @@ async function runClaude(prompt, cwd, replyToMsgId, opts = {}) {
     clearTimeout(streamInterval); streamInterval = null;
     clearTimeout(processTimeout);
 
-    // Check for auth errors in stderr
-    const stderrLower = stderrBuffer.toLowerCase();
-    if (stderrLower.includes("unauthorized") || stderrLower.includes("auth") && stderrLower.includes("fail") ||
-        stderrLower.includes("api key") || stderrLower.includes("not logged in")) {
-      const hint = settings.backend === "cursor" ? "Run `agent login` to authenticate." : "Run `claude auth` to re-authenticate.";
-      await send(`Authentication error. ${hint}`);
+    // Check for auth errors in stderr and give actionable Telegram recovery steps.
+    if (settings.backend !== "cursor" && isClaudeAuthErrorText(stderrBuffer)) {
+      await send(claudeAuthRecoveryMessage(stderrBuffer.trim().slice(-800)), { replyTo: replyToMsgId });
+      return;
+    }
+    if (settings.backend === "cursor" && isClaudeAuthErrorText(stderrBuffer)) {
+      await send("Cursor authentication error. Run `agent login` on this machine, then retry.", { replyTo: replyToMsgId });
       return;
     }
 
     try {
-      const finalText = assistantText || "(no output)";
+      const finalText = redactSensitive(assistantText || "(no output)");
       const chunks = splitMessage(finalText);
       const firstChunk = chunks[0];
 
@@ -964,6 +1212,13 @@ async function runClaude(prompt, cwd, replyToMsgId, opts = {}) {
         }
       }
       if (code !== 0 && code !== null) await send(`Exit code: ${code}`);
+
+      // Send voice reply if input was a voice note
+      if (lastInputWasVoice && TTS_CMD) {
+        lastInputWasVoice = false;
+        const voicePath = textToVoice(finalText);
+        if (voicePath) await sendVoice(voicePath);
+      }
     } catch (e) {
       console.error("Final message delivery failed:", e.message);
       await send("Task completed but failed to deliver the response. Send /continue to see the result.");
@@ -998,13 +1253,13 @@ async function runClaudeSilent(prompt, cwd, label) {
       "--append-system-prompt", buildSystemPrompt(),
       "--dangerously-skip-permissions", prompt];
     const proc = spawn(CLAUDE_PATH, args, {
-      cwd, env: { ...process.env, PATH: FULL_PATH, HOME: process.env.HOME },
+      cwd, env: claudeSubprocessEnv(),
       stdio: ["ignore", "pipe", "pipe"],
     });
     let output = "";
     proc.stdout.on("data", (d) => { output += d.toString(); });
     proc.on("close", async () => {
-      const chunks = splitMessage(`Cron: ${label}\n\n${output.trim() || "(no output)"}`);
+      const chunks = splitMessage(`Cron: ${label}\n\n${redactSensitive(output.trim() || "(no output)")}`);
       for (const c of chunks) await send(c);
       resolve();
     });
@@ -1104,6 +1359,7 @@ bot.onText(/\/help/, (msg) => {
     "Session: /session /sessions /projects /continue /status /stop /end",
     "Settings: /model /effort /budget /plan /compact /worktree /mode",
     "Automation: /cron /vault /soul",
+    "Claude auth: /auth_status /login /setup_token /use_oauth_token /clear_oauth_token",
     "System: /restart /upgrade",
     "",
     "Send text, voice, photos, or files.",
@@ -1354,6 +1610,64 @@ bot.onText(/\/soul$/, async (msg) => {
   await send(`Edit: ${SOUL_FILE}\nOr tell me what to change and I'll update it.`);
 });
 
+// ── Claude Auth Commands ────────────────────────────────────────────
+
+bot.onText(/\/(?:auth_status|auth status)$/, async (msg) => {
+  if (!isAuthorized(msg)) return;
+  const tokenInfo = getClaudeOAuthToken();
+  const proc = spawn(CLAUDE_PATH, ["auth", "status"], {
+    cwd: process.env.HOME || require("os").homedir(),
+    env: claudeSubprocessEnv(),
+    stdio: ["ignore", "pipe", "pipe"],
+  });
+  let output = "";
+  proc.stdout.on("data", (d) => { output += d.toString(); });
+  proc.stderr.on("data", (d) => { output += d.toString(); });
+  proc.on("close", async (code) => {
+    const clean = redactSensitive(output.trim()) || "(no output)";
+    await send([
+      `Claude auth status: exit ${code}`,
+      ...summarizeClaudeAuthStatus(output, code, tokenInfo),
+      `Bot OAuth token: ${tokenInfo.value ? "configured via " + tokenInfo.source : "not configured"}`,
+      `Vault: ${vault.isUnlocked() ? "unlocked" : "locked"}`,
+      "",
+      clean.slice(-2500),
+    ].join("\n"));
+  });
+  proc.on("error", async (err) => send(`Claude auth status failed: ${redactSensitive(err.message)}`));
+});
+
+bot.onText(/\/login$/, async (msg) => {
+  if (!isAuthorized(msg)) return;
+  await runClaudeAuthCommand(["auth", "login", "--claudeai", "--email", "sumeet@inet.africa"], "Claude login");
+});
+
+bot.onText(/\/setup_token$/, async (msg) => {
+  if (!isAuthorized(msg)) return;
+  await runClaudeAuthCommand(["setup-token"], "Claude setup-token", { captureToken: true });
+});
+
+bot.onText(/\/use_oauth_token(?:\s+(.+))?$/, async (msg, match) => {
+  if (!isAuthorized(msg)) return;
+  const token = (match[1] || "").trim();
+  await deleteMessage(msg.message_id);
+  if (!token) {
+    pendingClaudeAuthProcess = { stdin: { write: (value) => saveClaudeOAuthToken(value.trim()) } };
+    pendingClaudeAuthLabel = "manual OAuth token save";
+    await send("Send the Claude OAuth token in your next message. I'll delete it and store it without echoing it.");
+    return;
+  }
+  if (!looksLikeClaudeToken(token)) return send("That doesn't look like a Claude OAuth token. Not saved.");
+  saveClaudeOAuthToken(token);
+  await send(`Claude OAuth token stored in .env${vault.isUnlocked() ? " and vault" : ""}. Restart the bot so launchd picks it up, or use /restart.`);
+});
+
+bot.onText(/\/clear_oauth_token$/, async (msg) => {
+  if (!isAuthorized(msg)) return;
+  clearClaudeOAuthToken();
+  await send("Claude OAuth token cleared from .env/process" + (vault.isUnlocked() ? " and vault." : ". Unlock vault and run again if you also stored it there."));
+});
+
 // ── /vault with password protection ─────────────────────────────────
 
 bot.onText(/\/vault$/, async (msg) => {
@@ -1527,6 +1841,7 @@ bot.on("voice", async (msg) => {
     try { fs.unlinkSync(oggPath); } catch (e) {}
     if (!transcript) return send("Couldn't transcribe. Try typing it.");
     await send(`Heard: "${transcript}"`, { replyTo: msg.message_id });
+    lastInputWasVoice = true;
     await runClaude(transcript, currentSession.dir, msg.message_id);
   } catch (err) { await send(`Voice failed: ${err.message}`); }
 });
@@ -1597,6 +1912,29 @@ bot.on("message", async (msg) => {
   if (msg.voice || msg.audio || msg.photo || msg.document || msg.video || msg.sticker) return;
   if (isDuplicate(msg.message_id)) return;
 
+  // Handle pending Claude auth/token paste-back
+  if (pendingClaudeAuthProcess) {
+    const text = msg.text.trim();
+    await deleteMessage(msg.message_id);
+    if (pendingClaudeAuthLabel === "manual OAuth token save") {
+      pendingClaudeAuthProcess = null;
+      pendingClaudeAuthLabel = null;
+      if (!looksLikeClaudeToken(text)) { await send("That doesn't look like a Claude OAuth token. Not saved."); return; }
+      saveClaudeOAuthToken(text);
+      await send(`Claude OAuth token stored in .env${vault.isUnlocked() ? " and vault" : ""}. Restart the bot so launchd picks it up, or use /restart.`);
+      return;
+    }
+    try {
+      pendingClaudeAuthProcess.stdin.write(text + "\n");
+      await send("Sent to Claude auth process.");
+    } catch (e) {
+      pendingClaudeAuthProcess = null;
+      pendingClaudeAuthLabel = null;
+      await send(`Could not send to Claude auth process: ${redactSensitive(e.message)}`);
+    }
+    return;
+  }
+
   // Handle onboarding
   if (!isOnboarded() && onboardingStep) {
     await handleOnboarding(msg);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inetafrica/open-claudia",
-  "version": "1.13.4",
+  "version": "1.14.0",
   "description": "Your always-on AI coding assistant — Claude Code via Telegram",
   "main": "bot.js",
   "bin": {