@lovelybunch/api 1.0.69-alpha.9 → 1.0.70

package/dist/lib/auth/auth-manager.d.ts

@@ -2,7 +2,11 @@ import { AuthConfig, LocalAuthUser, AuthSession, ApiKey, UserRole } from '@lovel
 export declare class AuthManager {
     private authConfigPath;
     private authConfig;
-    constructor(dataPath: string);
+    /**
+     * Create an AuthManager instance.
+     * @param configPath - Optional custom path to auth.json. If not provided, uses OS app data directory.
+     */
+    constructor(configPath?: string);
     /**
      * Check if auth is enabled
      */
@@ -119,4 +123,8 @@ export declare class AuthManager {
      */
     clearCache(): void;
 }
-export declare function getAuthManager(dataPath?: string): AuthManager;
+/**
+ * Get the singleton AuthManager instance.
+ * @param configPath - Optional custom path to auth.json. If not provided, uses OS app data directory.
+ */
+export declare function getAuthManager(configPath?: string): AuthManager;

package/dist/lib/auth/auth-manager.js

@@ -3,14 +3,19 @@ import path from 'path';
 import bcrypt from 'bcrypt';
 import jwt from 'jsonwebtoken';
 import crypto from 'crypto';
+import { getAuthConfigPath } from '@lovelybunch/core';
 const SALT_ROUNDS = 10;
 const DEFAULT_SESSION_EXPIRY = '7d';
 const DEFAULT_COOKIE_NAME = 'nut-session';
 export class AuthManager {
     authConfigPath;
     authConfig = null;
-    constructor(dataPath) {
-        this.authConfigPath = path.join(dataPath, '.nut', 'auth.json');
+    /**
+     * Create an AuthManager instance.
+     * @param configPath - Optional custom path to auth.json. If not provided, uses OS app data directory.
+     */
+    constructor(configPath) {
+        this.authConfigPath = configPath ?? getAuthConfigPath();
     }
     /**
      * Check if auth is enabled
@@ -45,6 +50,9 @@ export class AuthManager {
      * Save auth config to file
      */
     async saveAuthConfig(config) {
+        // Ensure the directory exists
+        const dir = path.dirname(this.authConfigPath);
+        await fs.mkdir(dir, { recursive: true });
         await fs.writeFile(this.authConfigPath, JSON.stringify(config, null, 2), 'utf-8');
         this.authConfig = config;
     }
@@ -402,10 +410,13 @@ export class AuthManager {
 }
 // Singleton instance
 let authManagerInstance = null;
-export function getAuthManager(dataPath) {
+/**
+ * Get the singleton AuthManager instance.
+ * @param configPath - Optional custom path to auth.json. If not provided, uses OS app data directory.
+ */
+export function getAuthManager(configPath) {
     if (!authManagerInstance) {
-        const path = dataPath || process.env.GAIT_DATA_PATH || process.cwd();
-        authManagerInstance = new AuthManager(path);
+        authManagerInstance = new AuthManager(configPath);
     }
     return authManagerInstance;
 }

package/dist/lib/env-injection.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Get environment variables to inject into spawned child processes
+ * These are the API keys that coding agents (Claude Code, Codex, Gemini CLI) will use
+ * Returns a full environment object with process.env merged with API keys
+ */
+export declare function getInjectedEnv(): Record<string, string>;

package/dist/lib/env-injection.js

@@ -0,0 +1,64 @@
+import { homedir } from 'os';
+import { join } from 'path';
+import { existsSync, readFileSync } from 'fs';
+/**
+ * Get the path to the global config file
+ */
+function getGlobalConfigPath() {
+    const platform = process.platform;
+    let configDir;
+    if (platform === 'win32') {
+        configDir = join(process.env.APPDATA || homedir(), 'coconuts');
+    }
+    else if (platform === 'darwin') {
+        configDir = join(homedir(), 'Library', 'Application Support', 'coconuts');
+    }
+    else {
+        // Linux/Unix
+        configDir = join(process.env.XDG_CONFIG_HOME || join(homedir(), '.config'), 'coconuts');
+    }
+    return join(configDir, 'config.json');
+}
+/**
+ * Load global config from OS-specific location
+ */
+function loadGlobalConfig() {
+    const configPath = getGlobalConfigPath();
+    if (!existsSync(configPath)) {
+        return { apiKeys: {}, defaults: {} };
+    }
+    try {
+        const content = readFileSync(configPath, 'utf-8');
+        return JSON.parse(content);
+    }
+    catch (error) {
+        console.warn('Warning: Could not parse global config file, using defaults');
+        return { apiKeys: {}, defaults: {} };
+    }
+}
+/**
+ * Get environment variables to inject into spawned child processes
+ * These are the API keys that coding agents (Claude Code, Codex, Gemini CLI) will use
+ * Returns a full environment object with process.env merged with API keys
+ */
+export function getInjectedEnv() {
+    const config = loadGlobalConfig();
+    const env = { ...process.env };
+    // Only inject keys that are actually configured
+    if (config.apiKeys?.anthropic) {
+        env.ANTHROPIC_API_KEY = config.apiKeys.anthropic;
+    }
+    if (config.apiKeys?.openai) {
+        env.OPENAI_API_KEY = config.apiKeys.openai;
+    }
+    if (config.apiKeys?.gemini) {
+        env.GEMINI_API_KEY = config.apiKeys.gemini;
+    }
+    if (config.apiKeys?.replicate) {
+        env.REPLICATE_API_TOKEN = config.apiKeys.replicate;
+    }
+    if (config.apiKeys?.factorydroid) {
+        env.FACTORY_API_KEY = config.apiKeys.factorydroid;
+    }
+    return env;
+}

package/dist/lib/git.d.ts

@@ -44,6 +44,7 @@ export declare function getCredentialConfig(): Promise<{
     origin?: string;
 }>;
 export declare function setRemoteUrl(remoteUrl: string): Promise<void>;
+export declare function removeRemote(): Promise<void>;
 export declare function storeCredentials(username: string, password: string, remoteUrl?: string): Promise<void>;
 export interface WorktreeInfo {
     name: string;

package/dist/lib/git.js

@@ -134,7 +134,33 @@ export async function mergeBranch(branchName, strategy = 'merge') {
 }
 // --- Push / Pull ---
 export async function pushCurrent() {
-    const { stdout } = await runGit(['push'], { timeout: 30000 }); // 30 second timeout for push
+    // Ensure GitHub token is in credential helper before pushing
+    try {
+        const tokenRecord = await readGithubToken();
+        if (tokenRecord && isGithubTokenValid(tokenRecord)) {
+            console.log('[git] Found valid GitHub token, ensuring it\'s in credential helper');
+            // Ensure token is stored in credential helper
+            try {
+                await storeCredentials('x-access-token', tokenRecord.token);
+                console.log('[git] Successfully stored token in credential helper');
+            }
+            catch (credError) {
+                // Log but don't fail - credential helper might already have it
+                console.error('[git] Failed to store token in credential helper:', credError?.message);
+            }
+        }
+        else {
+            console.log('[git] No valid GitHub token found');
+        }
+    }
+    catch (tokenError) {
+        // Log but don't fail - might not be using GitHub auth
+        console.error('[git] Error reading GitHub token:', tokenError);
+    }
+    console.log('[git] Executing git push...');
+    // Use -u to set upstream tracking if not already set (harmless if already configured)
+    const { stdout } = await runGit(['push', '-u', 'origin', 'HEAD'], { timeout: 30000 }); // 30 second timeout for push
+    console.log('[git] Push completed successfully');
     return stdout;
 }
 export async function pullCurrent(strategy = 'rebase') {
@@ -232,6 +258,18 @@ export async function setRemoteUrl(remoteUrl) {
         await runGit(['remote', 'add', 'origin', trimmed]);
     }
 }
+export async function removeRemote() {
+    // Check if origin exists
+    try {
+        await runGit(['config', '--get', 'remote.origin.url']);
+        // If we get here, origin exists, so remove it
+        await runGit(['remote', 'remove', 'origin']);
+    }
+    catch {
+        // Origin doesn't exist, nothing to do
+        throw new Error('No remote configured');
+    }
+}
 export async function storeCredentials(username, password, remoteUrl) {
     // If a remote URL is provided, set it first
     if (remoteUrl && remoteUrl.trim()) {

package/dist/lib/jobs/job-runner.js

@@ -3,6 +3,7 @@ import { createWriteStream } from 'fs';
 import { promises as fs } from 'fs';
 import path from 'path';
 import { getProjectRoot } from '../project-paths.js';
+import { getInjectedEnv } from '../env-injection.js';
 function shellQuote(value) {
     if (value === '')
         return "''";
@@ -16,6 +17,8 @@ function resolveAgent(model) {
         return 'gemini';
     if (lower.includes('codex') || lower.includes('gpt') || lower.includes('openai'))
         return 'codex';
+    if (lower.includes('droid') || lower.includes('factory'))
+        return 'droid';
     return 'claude';
 }
 function buildCommand(agent, instruction, config) {
@@ -42,6 +45,15 @@ function buildCommand(agent, instruction, config) {
                 : baseCmd;
             break;
         }
+        case 'droid': {
+            // For Factory Droid, use exec mode with --auto high for non-interactive scheduled jobs
+            // See: https://docs.factory.ai/reference/cli-reference#autonomy-levels
+            const mcpFlags = config.mcpServers && config.mcpServers.length > 0
+                ? config.mcpServers.map(server => `--mcp ${shellQuote(server)}`).join(' ')
+                : '';
+            mainCommand = `droid exec --auto high ${mcpFlags} ${quotedInstruction}`.trim();
+            break;
+        }
         case 'claude':
         default: {
             // Claude uses .mcp.json for MCP server configuration (no --mcp flag)
@@ -55,12 +67,14 @@ function buildCommand(agent, instruction, config) {
 const CLI_AGENT_LABEL = {
     claude: 'Claude',
     gemini: 'Gemini',
-    codex: 'Code'
+    codex: 'Codex',
+    droid: 'Factory Droid'
 };
 const CLI_AGENT_BINARY = {
     claude: 'claude',
     gemini: 'gemini',
-    codex: 'codex'
+    codex: 'codex',
+    droid: 'droid'
 };
 const DEFAULT_MAX_RUNTIME_MS = 30 * 60 * 1000; // 30 minutes
 function getMaxRuntime() {
@@ -223,9 +237,14 @@ export class JobRunner {
                 });
                 return;
             }
+            // Inject API keys from global config into child process environment
+            const injectedEnv = getInjectedEnv();
             const child = spawn('bash', ['-lc', shellCommand], {
                 cwd: projectRoot,
-                env: process.env,
+                env: {
+                    ...process.env,
+                    ...injectedEnv
+                },
                 stdio: ['ignore', 'pipe', 'pipe'],
             });
             const maxRuntime = getMaxRuntime();

package/dist/lib/jobs/job-scheduler.js

@@ -26,7 +26,18 @@ export class JobScheduler {
             return;
         const jobs = await this.store.listJobs();
         for (const job of jobs) {
-            await this.register(job);
+            // Skip corrupted jobs (jobs with _error field)
+            if (job._error) {
+                console.warn(`Skipping corrupted job ${job.id}: ${job._error}`);
+                continue;
+            }
+            try {
+                await this.register(job);
+            }
+            catch (error) {
+                console.error(`Failed to register job ${job.id}:`, error);
+                // Continue with other jobs even if one fails
+            }
         }
         this.initialized = true;
     }

package/dist/lib/jobs/job-store.d.ts

@@ -8,6 +8,7 @@ export declare class JobStore {
     private getJobFilePath;
     listJobs(): Promise<ScheduledJob[]>;
     getJob(id: string): Promise<ScheduledJob | null>;
+    private createErrorJob;
     saveJob(job: ScheduledJob, bodyContent?: string): Promise<void>;
     deleteJob(id: string): Promise<boolean>;
     appendRun(jobId: string, run: ScheduledJobRun): Promise<ScheduledJob>;

package/dist/lib/jobs/job-store.js

@@ -90,15 +90,53 @@ export class JobStore {
         try {
             const filePath = await this.getJobFilePath(id);
             const content = await fs.readFile(filePath, 'utf-8');
+            // Handle empty files
+            if (!content || content.trim().length === 0) {
+                return this.createErrorJob(id, 'Job file is empty');
+            }
             const { data, content: body } = matter(content);
+            // Validate that we have at least an id field
+            if (!data || typeof data !== 'object' || !data.id) {
+                return this.createErrorJob(id, 'Job file is missing required id field');
+            }
             return this.fromFrontmatter(data, body);
         }
         catch (error) {
             if (error?.code === 'ENOENT')
                 return null;
-            throw error;
+            // Handle parsing errors (e.g., invalid YAML, corrupted frontmatter)
+            const errorMessage = error?.message || 'Unknown error parsing job file';
+            return this.createErrorJob(id, errorMessage);
         }
     }
+    createErrorJob(id, errorMessage) {
+        const now = new Date();
+        return {
+            id,
+            name: id,
+            description: undefined,
+            prompt: '',
+            model: 'anthropic/claude-sonnet-4',
+            status: 'paused',
+            schedule: {
+                type: 'interval',
+                hours: 6,
+                daysOfWeek: ['monday', 'tuesday', 'wednesday', 'thursday', 'friday']
+            },
+            metadata: {
+                createdAt: now,
+                updatedAt: now,
+                lastRunAt: undefined,
+                nextRunAt: undefined,
+            },
+            runs: [],
+            tags: [],
+            contextPaths: [],
+            // Store error in a way that won't break serialization
+            // We'll use a special tag to mark error jobs
+            _error: errorMessage
+        };
+    }
     async saveJob(job, bodyContent = '') {
         const filePath = await this.getJobFilePath(job.id);
         const normalizedJob = {
@@ -138,34 +176,118 @@ export class JobStore {
         if (!data?.id) {
             throw new Error('Scheduled job is missing required id field');
         }
+        // Validate and sanitize fields to prevent issues with corrupted data
         const createdAt = toDate(data.metadata?.createdAt) ?? new Date();
         const updatedAt = toDate(data.metadata?.updatedAt) ?? createdAt;
+        // Validate schedule structure
+        let schedule;
+        if (data.schedule && typeof data.schedule === 'object') {
+            if (data.schedule.type === 'cron') {
+                const cronSchedule = data.schedule;
+                if (typeof cronSchedule.expression === 'string' && cronSchedule.expression.trim()) {
+                    schedule = {
+                        type: 'cron',
+                        expression: cronSchedule.expression.trim(),
+                        timezone: typeof cronSchedule.timezone === 'string' ? cronSchedule.timezone : undefined,
+                        description: typeof cronSchedule.description === 'string' ? cronSchedule.description : undefined,
+                    };
+                }
+                else {
+                    // Invalid cron schedule, fall back to default
+                    schedule = {
+                        type: 'interval',
+                        hours: 6,
+                        daysOfWeek: ['monday', 'tuesday', 'wednesday', 'thursday', 'friday']
+                    };
+                }
+            }
+            else {
+                const intervalSchedule = data.schedule;
+                const hours = typeof intervalSchedule.hours === 'number' && intervalSchedule.hours >= 1
+                    ? intervalSchedule.hours
+                    : 6;
+                const daysOfWeek = Array.isArray(intervalSchedule.daysOfWeek)
+                    ? intervalSchedule.daysOfWeek.filter((day) => typeof day === 'string' && ['monday', 'tuesday', 'wednesday', 'thursday', 'friday', 'saturday', 'sunday'].includes(day.toLowerCase()))
+                    : ['monday', 'tuesday', 'wednesday', 'thursday', 'friday'];
+                schedule = {
+                    type: 'interval',
+                    hours,
+                    daysOfWeek: daysOfWeek.length > 0 ? daysOfWeek : ['monday', 'tuesday', 'wednesday', 'thursday', 'friday'],
+                    anchorHour: typeof intervalSchedule.anchorHour === 'number' && intervalSchedule.anchorHour >= 0 && intervalSchedule.anchorHour <= 23
+                        ? intervalSchedule.anchorHour
+                        : undefined,
+                };
+            }
+        }
+        else {
+            schedule = {
+                type: 'interval',
+                hours: 6,
+                daysOfWeek: ['monday', 'tuesday', 'wednesday', 'thursday', 'friday']
+            };
+        }
+        // Validate and sanitize runs
         const runs = Array.isArray(data.runs)
-            ? data.runs.map((run) => ({
-                id: run.id ?? `run-${randomUUID()}`,
-                jobId: data.id,
-                trigger: run.trigger,
-                status: run.status,
-                startedAt: toDate(run.startedAt) ?? new Date(),
-                finishedAt: toDate(run.finishedAt),
-                outputPath: run.outputPath,
-                summary: run.summary,
-                error: run.error,
-                cliCommand: run.cliCommand,
-            }))
+            ? data.runs
+                .filter((run) => run && typeof run === 'object')
+                .map((run) => {
+                const startedAt = toDate(run.startedAt);
+                if (!startedAt) {
+                    // Skip runs with invalid dates
+                    return null;
+                }
+                return {
+                    id: typeof run.id === 'string' ? run.id : `run-${randomUUID()}`,
+                    jobId: data.id,
+                    trigger: (run.trigger === 'manual' || run.trigger === 'scheduled') ? run.trigger : 'manual',
+                    status: (['pending', 'running', 'succeeded', 'failed'].includes(run.status)) ? run.status : 'pending',
+                    startedAt,
+                    finishedAt: toDate(run.finishedAt),
+                    outputPath: typeof run.outputPath === 'string' ? run.outputPath : undefined,
+                    summary: typeof run.summary === 'string' ? run.summary : undefined,
+                    error: typeof run.error === 'string' ? run.error : undefined,
+                    cliCommand: typeof run.cliCommand === 'string' ? run.cliCommand : undefined,
+                };
+            })
+                .filter((run) => run !== null)
+            : [];
+        // Validate and sanitize string fields
+        const name = typeof data.name === 'string' && data.name.trim()
+            ? data.name.trim().slice(0, 500) // Limit length
+            : data.id;
+        const description = typeof data.description === 'string'
+            ? data.description.slice(0, 1000) // Limit length
+            : undefined;
+        const prompt = typeof data.prompt === 'string'
+            ? data.prompt.trim() || body.trim()
+            : body.trim();
+        const model = typeof data.model === 'string' && data.model.trim()
+            ? data.model.trim()
+            : 'anthropic/claude-sonnet-4';
+        const status = (data.status === 'active' || data.status === 'paused')
+            ? data.status
+            : 'paused';
+        // Validate arrays
+        const tags = Array.isArray(data.tags)
+            ? data.tags.filter((tag) => typeof tag === 'string').slice(0, 50)
+            : [];
+        const contextPaths = Array.isArray(data.contextPaths)
+            ? data.contextPaths.filter((path) => typeof path === 'string').slice(0, 100)
             : [];
+        const agentIds = Array.isArray(data.agentIds)
+            ? data.agentIds.filter((id) => typeof id === 'string').slice(0, 50)
+            : undefined;
+        const mcpServers = Array.isArray(data.mcpServers)
+            ? data.mcpServers.filter((server) => typeof server === 'string').slice(0, 50)
+            : undefined;
         return {
             id: data.id,
-            name: data.name || data.id,
-            description: data.description,
-            prompt: data.prompt || body.trim(),
-            model: data.model || 'anthropic/claude-sonnet-4',
-            status: data.status || 'paused',
-            schedule: data.schedule ?? {
-                type: 'interval',
-                hours: 6,
-                daysOfWeek: ['monday', 'tuesday', 'wednesday', 'thursday', 'friday']
-            },
+            name,
+            description,
+            prompt,
+            model,
+            status,
+            schedule,
             metadata: {
                 createdAt,
                 updatedAt,
@@ -173,11 +295,11 @@ export class JobStore {
                 nextRunAt: toDate(data.metadata?.nextRunAt),
             },
             runs,
-            tags: data.tags ?? [],
-            contextPaths: data.contextPaths ?? [],
-            agentId: data.agentId,
-            agentIds: data.agentIds,
-            mcpServers: data.mcpServers,
+            tags,
+            contextPaths,
+            agentId: typeof data.agentId === 'string' ? data.agentId : undefined,
+            agentIds,
+            mcpServers,
         };
     }
     toFrontmatter(job) {

package/dist/lib/storage/file-storage.js

@@ -122,19 +122,28 @@ export class FileStorageAdapter {
         // Never allow id to be updated to prevent overwriting other proposals
         const { id: _, ...safeUpdates } = updates;
         // Handle comments separately as they're stored at root level in file format
-        let updated = {
+        // Comments can come from either root level or metadata.comments
+        let commentsToStore = existing.metadata.comments || [];
+        if (safeUpdates.comments) {
+            // If comments are provided at root level, use them
+            commentsToStore = safeUpdates.comments;
+        }
+        else if (safeUpdates.metadata?.comments) {
+            // If comments are provided in metadata, use them
+            commentsToStore = safeUpdates.metadata.comments;
+        }
+        const updated = {
             ...existing,
             ...safeUpdates,
             metadata: {
                 ...existing.metadata,
                 ...safeUpdates.metadata,
-                updatedAt: new Date()
-            }
+                updatedAt: new Date(),
+                comments: commentsToStore
+            },
+            // Store comments at the root level for the file format
+            comments: commentsToStore
         };
-        // If comments are being updated, store them at the root level for the file format
-        if (safeUpdates.comments) {
-            updated.comments = safeUpdates.comments;
-        }
         await this.createCP(updated);
     }
     async deleteCP(id) {

package/dist/lib/terminal/terminal-manager.js

@@ -5,6 +5,7 @@ import fs from 'fs';
 import { createInitScript } from './context-helper.js';
 import { getShellPath, getShellArgs, prepareShellInit } from './shell-utils.js';
 import { getLogger, AgentKinds } from '@lovelybunch/core/logging';
+import { getInjectedEnv } from '../env-injection.js';
 export class TerminalManager {
     sessions = new Map();
     cleanupInterval;
@@ -82,9 +83,9 @@ export class TerminalManager {
         }
         // Get shell arguments
         const shellArgs = getShellArgs(shellPath, initScriptPath);
-        // Prepare environment variables
+        // Prepare environment variables with API keys injected
         const env = {
-            ...process.env,
+            ...getInjectedEnv(),
             COCONUT_PROPOSAL_ID: proposalId,
             COCONUT_CONTEXT_PATH: path.join(projectRoot, '.nut', 'context'),
             COCONUT_PROPOSAL_PATH: path.join(projectRoot, '.nut', 'proposals', `${proposalId}.md`),

package/dist/routes/api/v1/config/route.js

@@ -233,6 +233,26 @@ export async function TEST(c) {
                 return c.json({ success: false, message: err instanceof Error ? err.message : 'Network error' }, 200);
             }
         }
+        if (provider === 'replicate') {
+            try {
+                // Test Replicate API by listing models (lightweight endpoint)
+                const resp = await fetch('https://api.replicate.com/v1/models', {
+                    method: 'GET',
+                    headers: {
+                        'Authorization': `Bearer ${effectiveKey}`,
+                        'Content-Type': 'application/json',
+                    },
+                });
+                if (!resp.ok) {
+                    const text = await resp.text();
+                    return c.json({ success: false, message: `Replicate rejected token: ${text.slice(0, 200)}` }, 200);
+                }
+                return c.json({ success: true, message: 'Replicate token is valid' });
+            }
+            catch (err) {
+                return c.json({ success: false, message: err instanceof Error ? err.message : 'Network error' }, 200);
+            }
+        }
         // Other providers not wired up yet
         return c.json({ success: false, message: `Provider '${provider}' test not implemented yet` }, 501);
     }