@inetafrica/open-claudia 1.7.3 → 1.8.0

package/Dockerfile

@@ -12,7 +12,8 @@ RUN curl -fsSL https://claude.ai/install.sh | sh || \
     npm install -g @anthropic-ai/claude-code
 
 # Create non-root user (Claude Code refuses --dangerously-skip-permissions as root)
-RUN groupadd -g 1000 claudia && useradd -u 1000 -g 1000 -m -d /data claudia
+# node:20-slim already has uid/gid 1000 (node user). Create claudia with different IDs.
+RUN groupadd -g 1001 claudia && useradd -u 1001 -g 1001 -m -d /data claudia
 
 # Create app directory
 WORKDIR /app
@@ -41,7 +42,7 @@ VOLUME /data
 EXPOSE 8080
 
 # Switch to non-root user
-USER 1000
+USER 1001
 
 ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["node", "bin/cli.js", "web"]

package/bot-agent.js

@@ -1001,6 +1001,7 @@ bot.onText(/\/restart$/, async (msg) => {
 
 bot.onText(/\/upgrade$/, async (msg) => {
   if (!isOwner(msg)) return;
+  try { process.chdir(process.env.HOME || require("os").homedir()); } catch (e) { /* already gone */ }
   // Check if there's actually a newer version
   try {
     const latest = execSync("npm view @inetafrica/open-claudia version", {

package/bot.js

@@ -1041,6 +1041,9 @@ bot.onText(/\/restart$/, async (msg) => {
 
 bot.onText(/\/upgrade$/, async (msg) => {
   if (!isOwner(msg)) return;
+  // Change to HOME first — npm install -g replaces the package directory
+  // which can delete the cwd out from under the running process
+  try { process.chdir(process.env.HOME || require("os").homedir()); } catch (e) { /* already gone */ }
   // Check if there's actually a newer version
   try {
     const latest = execSync("npm view @inetafrica/open-claudia version", {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inetafrica/open-claudia",
-  "version": "1.7.3",
+  "version": "1.8.0",
   "description": "Your always-on AI coding assistant — Claude Code via Telegram",
   "main": "bot.js",
   "bin": {

package/web.js

@@ -20,11 +20,13 @@ function getPassword() {
   if (fs.existsSync(WEB_PASSWORD_FILE)) {
     return fs.readFileSync(WEB_PASSWORD_FILE, "utf-8").trim();
   }
-  // Generate initial password
-  const initial = crypto.randomBytes(4).toString("hex");
+  // Use env-provided password (from K8s secret) or generate random
+  const initial = process.env.WEB_PASSWORD || crypto.randomBytes(16).toString("hex");
   fs.writeFileSync(WEB_PASSWORD_FILE, initial);
-  console.log(`\n  Web UI initial password: ${initial}`);
-  console.log(`  Change it in Settings after first login.\n`);
+  if (!process.env.WEB_PASSWORD) {
+    console.log(`\n  Web UI initial password: ${initial}`);
+    console.log(`  Change it in Settings after first login.\n`);
+  }
   return initial;
 }
 
@@ -208,11 +210,18 @@ async function handleAPI(req, res, body) {
     return res.end(JSON.stringify(env));
   }
 
-  // Update config
+  // Update config (whitelist safe keys only)
   if (url === "/api/config" && req.method === "POST") {
+    const SAFE_KEYS = new Set(["WORKSPACE", "CLAUDE_PATH", "WHISPER_CLI", "FFMPEG", "WHISPER_MODEL"]);
     const updates = JSON.parse(body);
     const env = loadEnv();
-    Object.assign(env, updates);
+    for (const [key, value] of Object.entries(updates)) {
+      if (!SAFE_KEYS.has(key)) {
+        res.writeHead(403, { "Content-Type": "application/json" });
+        return res.end(JSON.stringify({ error: `Cannot update key: ${key}` }));
+      }
+      env[key] = value;
+    }
     saveEnv(env);
     res.writeHead(200, { "Content-Type": "application/json" });
     return res.end(JSON.stringify({ ok: true }));