@inetafrica/open-claudia 2.2.2 → 2.2.4

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## v2.2.4
+- Bearer auth on `/api/*`: when `BOT_CONTROL_TOKEN` is set in the env, requests with `Authorization: Bearer <token>` are accepted in addition to the existing cookie session. Behaviour is unchanged when the env var is not set, so local installs are not affected.
+- `/upgrade` detects an AgentSpace-managed pod (both `AGENTSPACE_POD_TOKEN` and `AGENTSPACE_API_URL` set) and delegates to `POST /pods/self/upgrade` on the control plane instead of running `npm install -g` locally. The control plane rolls the deployment with a fresh image pull. Local installs fall through to the existing npm upgrade path.
+- Password change in the web UI fires a fire-and-forget `POST /pods/self/password-changed` callback so the control plane can flag the pod as having a user-set password and refuse to leak the stale initial value.
+
+## v2.2.3
+- Queue drain now batches: when multiple messages are received while a task is running, they're delivered as one combined follow-up turn instead of N isolated turns. The model sees them together (numbered, with HH:MM:SS queue timestamps), in context of what it just finished, so it can plan across them. A single queued message still delivers as before — no behavior change for the common case.
+
 ## v2.0.1
 - Kazee owner detection: `envelope.channelId` is the chat-document id, but `KAZEE_OWNER_USER_ID` is the Kazee user id. `isChatOwner`/`isChatAuthorized` now also short-circuit when the inbound user id matches the configured transport owner, so the owner running `/auth` (or anything else) on a fresh Kazee install is recognized immediately instead of being queued as a non-owner request.
 - `chatContext` now carries `userId` and `transport` in addition to `chatId`; new `currentUserId()` / `currentTransport()` exports.

package/core/handlers.js

@@ -301,10 +301,55 @@ register({
   },
 });
 
+async function requestAgentSpaceUpgrade() {
+  const apiUrl = process.env.AGENTSPACE_API_URL;
+  const token = process.env.AGENTSPACE_POD_TOKEN;
+  if (!apiUrl || !token) return null;
+  const u = new URL("/pods/self/upgrade", apiUrl);
+  const lib = u.protocol === "https:" ? require("https") : require("http");
+  return new Promise((resolve) => {
+    const req = lib.request({
+      method: "POST",
+      hostname: u.hostname,
+      port: u.port || (u.protocol === "https:" ? 443 : 80),
+      path: u.pathname + u.search,
+      headers: {
+        "Authorization": `Bearer ${token}`,
+        "Content-Type": "application/json",
+        "Content-Length": "0",
+      },
+    }, (res) => {
+      let data = "";
+      res.on("data", (c) => { data += c; });
+      res.on("end", () => resolve({ status: res.statusCode, body: data }));
+    });
+    req.on("error", (e) => resolve({ status: 0, body: String(e.message || e) }));
+    req.setTimeout(15000, () => { req.destroy(new Error("timeout")); });
+    req.end();
+  });
+}
+
 register({
   name: "upgrade", description: "Upgrade and restart", ownerOnly: true,
   handler: async (env) => {
     if (!ownerEnv(env)) return;
+    // Container-managed upgrade: if AgentSpace injected pod-self credentials,
+    // delegate to the control plane so the deployment can be rolled with a
+    // fresh image pull. The local npm path can't do that.
+    if (process.env.AGENTSPACE_POD_TOKEN && process.env.AGENTSPACE_API_URL) {
+      try {
+        const result = await requestAgentSpaceUpgrade();
+        if (result && (result.status === 202 || result.status === 200)) {
+          await send("Upgrade requested — AgentSpace will pull latest image and restart, see you in a minute.");
+          return;
+        }
+        await send(`Upgrade request failed (status ${result?.status || "?"}). ${(result?.body || "").slice(0, 300)}`);
+        return;
+      } catch (e) {
+        await send(`Upgrade request error: ${e.message || e}`);
+        return;
+      }
+    }
     try { process.chdir(process.env.HOME || require("os").homedir()); } catch (e) {}
     let latest = null;
     try {

package/core/runner.js

@@ -390,7 +390,7 @@ async function runClaude(prompt, cwd, replyToMsgId, opts = {}) {
   const { settings } = state;
 
   if (state.runningProcess) {
-    state.messageQueue.push({ prompt, replyToMsgId, opts });
+    state.messageQueue.push({ prompt, replyToMsgId, opts, queuedAt: Date.now() });
     await send(state.isCompacting ? "Compacting context, will pick this up next…" : "Queued.", { replyTo: replyToMsgId });
     return;
   }
@@ -676,8 +676,27 @@ async function runClaude(prompt, cwd, replyToMsgId, opts = {}) {
     }
 
     if (state.messageQueue.length > 0 && state.currentSession) {
-      const next = state.messageQueue.shift();
-      await runClaude(next.prompt, state.currentSession.dir, next.replyToMsgId, next.opts);
+      const drained = state.messageQueue.splice(0);
+      if (drained.length === 1) {
+        const only = drained[0];
+        await runClaude(only.prompt, state.currentSession.dir, only.replyToMsgId, only.opts);
+      } else {
+        const fmtTime = (ts) => {
+          const d = new Date(ts);
+          const hh = String(d.getHours()).padStart(2, "0");
+          const mm = String(d.getMinutes()).padStart(2, "0");
+          const ss = String(d.getSeconds()).padStart(2, "0");
+          return `${hh}:${mm}:${ss}`;
+        };
+        const numbered = drained.map((m, i) => `[${i + 1}] (${fmtTime(m.queuedAt || Date.now())}) ${m.prompt}`).join("\n\n");
+        const batched =
+          `While you were working the user sent these ${drained.length} follow-up messages (oldest first):\n\n` +
+          `${numbered}\n\n` +
+          `Treat each as a distinct follow-up request. Add them to your plan and handle them; ` +
+          `if any contradicts an earlier one, prefer the newer one and call out the conflict.`;
+        const last = drained[drained.length - 1];
+        await runClaude(batched, state.currentSession.dir, last.replyToMsgId, last.opts);
+      }
     }
   }));
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inetafrica/open-claudia",
-  "version": "2.2.2",
+  "version": "2.2.4",
   "description": "Your always-on AI coding assistant — Claude Code, Cursor Agent, and OpenAI Codex via Telegram or Kazee Chat",
   "main": "bot.js",
   "bin": {

package/web.js

@@ -48,9 +48,48 @@ function validatePasswordComplexity(pw) {
 function setPassword(newPassword) {
   fs.writeFileSync(WEB_PASSWORD_FILE, newPassword);
   fs.writeFileSync(PASSWORD_CHANGED_FILE, new Date().toISOString());
+  notifyAgentSpacePasswordChanged();
+}
+
+function notifyAgentSpacePasswordChanged() {
+  const apiUrl = process.env.AGENTSPACE_API_URL;
+  const token = process.env.AGENTSPACE_POD_TOKEN;
+  if (!apiUrl || !token) return;
+  let u;
+  try { u = new URL("/pods/self/password-changed", apiUrl); } catch (e) { return; }
+  const lib = u.protocol === "https:" ? require("https") : require("http");
+  const req = lib.request({
+    method: "POST",
+    hostname: u.hostname,
+    port: u.port || (u.protocol === "https:" ? 443 : 80),
+    path: u.pathname + u.search,
+    headers: {
+      "Authorization": `Bearer ${token}`,
+      "Content-Type": "application/json",
+      "Content-Length": "0",
+    },
+  });
+  req.on("error", () => {});
+  req.setTimeout(5000, () => { try { req.destroy(); } catch (e) {} });
+  req.end();
+}
+
+function checkBearerAuth(req) {
+  const expected = process.env.BOT_CONTROL_TOKEN;
+  if (!expected) return false;
+  const header = req.headers.authorization || "";
+  if (!header.startsWith("Bearer ")) return false;
+  const presented = header.slice(7).trim();
+  if (presented.length !== expected.length) return false;
+  try {
+    return crypto.timingSafeEqual(Buffer.from(presented), Buffer.from(expected));
+  } catch (e) {
+    return false;
+  }
 }
 
 function checkAuth(req) {
+  if (checkBearerAuth(req)) return true;
   const cookie = (req.headers.cookie || "").split(";").find((c) => c.trim().startsWith("oc_session="));
   if (!cookie) return false;
   const token = cookie.split("=")[1]?.trim();