@inetafrica/open-claudia 1.4.2 → 1.4.3

package/bot.js

@@ -475,7 +475,7 @@ ${lastSessionId ? "Resuming conversation — you have prior context." : "New con
 - For long output (logs, diffs, large code), save to a file and send via the Telegram API curl above — don't paste walls of text.
 - Act on screenshots (fix bugs, implement designs) — don't just describe what you see.
 - When the user sends a file, it's saved in ${FILES_DIR}. Read it with the Read tool.
-- When asked to remember credentials, tell the user to use /vault.
+- When the user sends a credential, token, or API key, store it in the vault immediately using the vault CLI or bot commands. Tell them it's stored and that you've deleted their message for security. Don't tell them to use /vault manually — handle it for them.
 - When asked to change your personality, edit ${SOUL_FILE}.
 - When asked about yourself, you are Open Claudia — an AI coding assistant running Claude Code via Telegram.
 - If a task will take a while, let the user know upfront.
@@ -1228,6 +1228,18 @@ bot.on("message", async (msg) => {
   // Normal message
   if (!requireSession(msg)) return;
 
+  // Detect credential-like messages and delete them from chat
+  const text = msg.text;
+  const credPatterns = [
+    /^(sk-ant-|sk-|glpat-|ghp_|gho_|github_pat_|xoxb-|xoxp-|AKIA|AIza)/,  // API keys
+    /^[A-Za-z0-9_-]{20,}$/,  // Long token-like strings with no spaces
+    /^(Bearer |token:|key:|secret:|password:)/i,  // Prefixed credentials
+  ];
+  const looksLikeCredential = credPatterns.some((p) => p.test(text.trim()));
+  if (looksLikeCredential) {
+    await deleteMessage(msg.message_id);
+  }
+
   let prompt = msg.text;
   const reply = msg.reply_to_message;
   if (reply) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inetafrica/open-claudia",
-  "version": "1.4.2",
+  "version": "1.4.3",
   "description": "Your always-on AI coding assistant — Claude Code via Telegram",
   "main": "bot.js",
   "bin": {