@lovenyberg/ove 0.6.0 → 0.7.0

package/README.md

@@ -1,5 +1,5 @@
 <p align="center">
-  <img src="logo.png" width="180" alt="Ove" />
+  <img src="https://raw.githubusercontent.com/jacksoncage/ove/main/logo.png" width="180" alt="Ove" />
 </p>
 
 <h1 align="center">Ove</h1>
@@ -16,16 +16,16 @@ Talk to Ove from Slack, WhatsApp, Telegram, Discord, GitHub issues, a Web UI, or
 **Just chat.** You don't need to memorize commands. Talk to Ove like you'd talk to a colleague — ask questions, describe what you need, paste error messages, think out loud. He understands natural language. The commands below are shortcuts, not requirements.
 
 <p align="center">
-  <img src="screenshot-telegram.png" width="320" alt="Ove on Telegram" />
+  <img src="https://raw.githubusercontent.com/jacksoncage/ove/main/docs/images/screenshot-telegram.png" width="320" alt="Ove on Telegram" />
 </p>
 
 ### Web UI
 
-![Ove Web UI](screenshot-chat.png)
+![Ove Web UI](https://raw.githubusercontent.com/jacksoncage/ove/main/docs/images/screenshot-chat.png)
 
 ### Trace Viewer
 
-![Ove Trace Viewer](screenshot-trace.png)
+![Ove Trace Viewer](https://raw.githubusercontent.com/jacksoncage/ove/main/docs/images/screenshot-trace.png)
 
 ## Quick Start
 

package/deploy/ove.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Ove - Personal AI coding assistant
+After=network.target
+
+[Service]
+Type=simple
+User=YOUR_USER
+WorkingDirectory=/path/to/ove
+ExecStart=/path/to/bun run src/index.ts
+Restart=always
+RestartSec=5
+EnvironmentFile=/path/to/ove/.env
+Environment=PATH=/home/YOUR_USER/.local/bin:/home/YOUR_USER/.bun/bin:/usr/local/bin:/usr/bin:/bin
+
+[Install]
+WantedBy=multi-user.target

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lovenyberg/ove",
-  "version": "0.6.0",
+  "version": "0.7.0",
   "description": "Your grumpy but meticulous dev companion. AI coding agent for Slack, WhatsApp, Telegram, Discord, GitHub, HTTP API, and CLI.",
   "type": "module",
   "bin": {

package/src/adapters/http.ts

@@ -1,5 +1,6 @@
 import { readFileSync, existsSync } from "node:fs";
-import { join, extname } from "node:path";
+import { join, extname, resolve } from "node:path";
+import { timingSafeEqual } from "node:crypto";
 import type { EventAdapter, IncomingEvent, IncomingMessage, ChatAdapter, AdapterStatus } from "./types";
 import type { TraceStore } from "../trace";
 import type { TaskQueue } from "../queue";
@@ -13,6 +14,13 @@ interface PendingChat {
   sseControllers: ReadableStreamDefaultController[];
 }
 
+function safeEqual(a: string, b: string): boolean {
+  const bufA = Buffer.from(a);
+  const bufB = Buffer.from(b);
+  if (bufA.length !== bufB.length) return false;
+  return timingSafeEqual(bufA, bufB);
+}
+
 export class HttpApiAdapter implements EventAdapter {
   private port: number;
   private apiKey: string;
@@ -40,7 +48,7 @@ export class HttpApiAdapter implements EventAdapter {
     this.trace = trace;
     this.queue = queue || null;
     this.sessions = sessions || null;
-    const publicDir = join(import.meta.dir, "../../public");
+    const publicDir = resolve(import.meta.dir, "../../public");
     this.publicDir = publicDir;
     try {
       this.webUiHtml = readFileSync(join(publicDir, "index.html"), "utf-8");
@@ -114,7 +122,7 @@ export class HttpApiAdapter implements EventAdapter {
         // Auth check for API routes
         if (path.startsWith("/api/")) {
           const key = req.headers.get("X-API-Key") || url.searchParams.get("key");
-          if (key !== self.apiKey) {
+          if (!key || !safeEqual(key, self.apiKey)) {
             return Response.json({ error: "Unauthorized" }, { status: 401 });
           }
         }
@@ -159,9 +167,20 @@ export class HttpApiAdapter implements EventAdapter {
 
         // POST /api/message — submit a chat message (full chat pipeline)
         if (path === "/api/message" && req.method === "POST") {
-          const body = await req.json() as { text: string; userId?: string };
+          let body: { text: string };
+          try {
+            body = await req.json() as { text: string };
+          } catch {
+            return Response.json({ error: "Invalid JSON body" }, { status: 400 });
+          }
+          if (!body || typeof body.text !== "string" || body.text.trim().length === 0) {
+            return Response.json({ error: "Missing or invalid 'text' field" }, { status: 400 });
+          }
+          if (body.text.length > 50000) {
+            return Response.json({ error: "Message too long (max 50000 chars)" }, { status: 400 });
+          }
           const chatId = crypto.randomUUID();
-          const userId = body.userId || "http:web";
+          const userId = "http:web";
 
           const chat: PendingChat = { status: "pending", replies: [], sseControllers: [] };
           self.chats.set(chatId, chat);
@@ -290,7 +309,10 @@ export class HttpApiAdapter implements EventAdapter {
         const MIME: Record<string, string> = { ".png": "image/png", ".ico": "image/x-icon", ".svg": "image/svg+xml", ".jpg": "image/jpeg", ".css": "text/css", ".js": "application/javascript" };
         const ext = extname(path);
         if (ext && MIME[ext]) {
-          const filePath = join(self.publicDir, path);
+          const filePath = resolve(self.publicDir, "." + path);
+          if (!filePath.startsWith(self.publicDir + "/")) {
+            return Response.json({ error: "Not found" }, { status: 404 });
+          }
           if (existsSync(filePath)) {
             const data = readFileSync(filePath);
             return new Response(data, { headers: { "Content-Type": MIME[ext], "Cache-Control": "public, max-age=3600" } });

package/src/handlers.ts

@@ -254,6 +254,10 @@ async function handleCancelTask(msg: IncomingMessage, args: Record<string, any>,
     const active = deps.queue.listActive();
     const pendingMatch = active.find((t) => t.id.toLowerCase().startsWith(prefix) && t.status === "pending");
     if (pendingMatch) {
+      if (pendingMatch.userId !== msg.userId) {
+        await msg.reply("That's not your task.");
+        return;
+      }
       deps.queue.cancel(pendingMatch.id);
       await msg.reply(`Cancelled pending task ${pendingMatch.id.slice(0, 7)} on ${pendingMatch.repo}.`);
       return;
@@ -261,6 +265,10 @@ async function handleCancelTask(msg: IncomingMessage, args: Record<string, any>,
     await msg.reply(`No task found matching "${prefix}". Use /tasks to see what's running.`);
     return;
   }
+  if (match.task.userId !== msg.userId) {
+    await msg.reply("That's not your task.");
+    return;
+  }
   match.abort.abort();
   deps.queue.cancel(match.task.id);
   await msg.reply(`Killed task ${match.task.id.slice(0, 7)} on ${match.task.repo}. Gone.`);

package/.dockerignore

@@ -1,7 +0,0 @@
-node_modules/
-repos/
-.env
-ove.db
-.git/
-docs/
-*.md

package/.github/workflows/ci.yml

@@ -1,16 +0,0 @@
-name: CI
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: oven-sh/setup-bun@v2
-      - run: bun install
-      - run: bun test

package/.github/workflows/pages.yml

@@ -1,33 +0,0 @@
-name: Deploy Pages
-
-on:
-  push:
-    branches: [main]
-    paths: [docs/**]
-
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
-concurrency:
-  group: pages
-  cancel-in-progress: true
-
-jobs:
-  deploy:
-    environment:
-      name: github-pages
-      url: ${{ steps.deployment.outputs.page_url }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/configure-pages@v5
-
-      - uses: actions/upload-pages-artifact@v3
-        with:
-          path: docs
-
-      - id: deployment
-        uses: actions/deploy-pages@v4

package/.github/workflows/publish.yml

@@ -1,45 +0,0 @@
-name: Publish Package
-
-on:
-  release:
-    types: [published]
-
-permissions:
-  contents: read
-  packages: write
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: oven-sh/setup-bun@v2
-      - run: bun install
-      - run: bun test
-
-  publish:
-    needs: test
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          registry-url: https://registry.npmjs.org
-
-      - uses: oven-sh/setup-bun@v2
-
-      - run: bun install
-
-      # Update version from release tag (safe: GITHUB_REF_NAME is not user-controlled)
-      - name: Set version from tag
-        env:
-          REF_NAME: ${{ github.ref_name }}
-        run: |
-          VERSION="${REF_NAME#v}"
-          npm version "$VERSION" --no-git-tag-version --allow-same-version
-
-      - run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package/Dockerfile

@@ -1,37 +0,0 @@
-FROM oven/bun:1 AS base
-
-# System deps: git for repo management, ssh for private repos
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends git openssh-client && \
-    rm -rf /var/lib/apt/lists/*
-
-# Claude CLI (installed via npm since bun global install has quirks)
-RUN bunx --bun npm i -g @anthropic-ai/claude-code
-
-WORKDIR /app
-
-# Install dependencies
-COPY package.json bun.lock ./
-RUN bun install --frozen-lockfile --production
-
-# Copy source
-COPY bin/ bin/
-COPY src/ src/
-COPY tsconfig.json ./
-COPY config.example.json .env.example ./
-
-# Non-root user (Claude CLI refuses --dangerously-skip-permissions as root)
-# Default UID/GID 1000 matches most host users; override with --build-arg
-ARG UID=1000
-ARG GID=1000
-RUN groupadd -g $GID ove 2>/dev/null || true && \
-    useradd -m -s /bin/bash -u $UID -g $GID ove 2>/dev/null || true && \
-    mkdir -p repos && \
-    chown -R $UID:$GID /app
-USER $UID
-
-# Git safe.directory for mounted volumes
-RUN git config --global --add safe.directory '*'
-
-ENTRYPOINT ["bun", "run", "bin/ove.ts"]
-CMD ["start"]