alvin-bot 4.4.3 → 4.4.4

package/CHANGELOG.md

@@ -2,6 +2,24 @@
 
 All notable changes to Alvin Bot are documented here.
 
+## [4.4.4] — 2026-04-09
+
+### 🔐 Security / Data Layout
+
+**`.env` now lives only in `DATA_DIR`** — The `ENV_FILE` path constant in `src/paths.ts` has been moved from `BOT_ROOT/.env` to `DATA_DIR/.env` (e.g. `~/.alvin-bot/.env`). This fixes a latent drift bug affecting 6 code sites in `web/server.ts`, `web/setup-api.ts`, `web/doctor-api.ts`, and `services/fallback-order.ts`: before this release, the Web UI's Settings tab, the setup wizard, the doctor repair flow, and the `/fallback` sync were all writing to `BOT_ROOT/.env`, while the bot's config loader in `src/config.ts` reads from `DATA_DIR/.env` first. Changes made through any of those tools were silently written to a file the bot never reads (for globally-installed users, `BOT_ROOT` is inside `node_modules/alvin-bot/` and gets wiped on `npm update -g`).
+
+Why this also matters for security: keeping `.env` inside the code repo is defense-in-depth weak. `.gitignore` can be edited, editors create swap files (`.env.swp`, `.env~`), `git add -f` bypasses ignores, backup tools sync whole project folders, and screensharing shows project directories. Secrets belong physically outside the repo.
+
+**Automatic migration for legacy installs** — `src/migrate.ts` now copies a legacy `BOT_ROOT/.env` to `DATA_DIR/.env` on first run (only if the destination doesn't exist) and enforces `0600` mode regardless of the source permissions. `hasLegacyData()` now recognizes a stray `BOT_ROOT/.env` as a migration trigger. No action is required from existing users — the bot migrates itself.
+
+### 📦 Compatibility
+
+No breaking changes. Existing installs upgrade in place and are auto-migrated.
+
+```bash
+npm update -g alvin-bot
+```
+
 ## [4.4.3] — 2026-04-09
 
 ### 🔐 Security

package/dist/migrate.js

@@ -20,7 +20,7 @@
  */
 import fs from "fs";
 import { resolve } from "path";
-import { BOT_ROOT, MEMORY_DIR, USERS_DIR, BACKUP_DIR, SOUL_FILE, TOOLS_MD, TOOLS_JSON, CRON_FILE, MCP_CONFIG, FALLBACK_FILE, CUSTOM_MODELS, WA_GROUPS, WHATSAPP_AUTH, WA_MEDIA_DIR, ACCESS_FILE, SUDO_ENC_FILE, SUDO_KEY_FILE, MEMORY_FILE, EMBEDDINGS_IDX } from "./paths.js";
+import { BOT_ROOT, MEMORY_DIR, USERS_DIR, BACKUP_DIR, SOUL_FILE, TOOLS_MD, TOOLS_JSON, CRON_FILE, MCP_CONFIG, FALLBACK_FILE, CUSTOM_MODELS, WA_GROUPS, WHATSAPP_AUTH, WA_MEDIA_DIR, ACCESS_FILE, SUDO_ENC_FILE, SUDO_KEY_FILE, MEMORY_FILE, EMBEDDINGS_IDX, ENV_FILE } from "./paths.js";
 /**
  * Check if legacy data exists in the old locations.
  */
@@ -31,7 +31,13 @@ export function hasLegacyData() {
         resolve(BOT_ROOT, "docs", "users"),
         resolve(BOT_ROOT, "data", "access.json"),
         resolve(BOT_ROOT, "SOUL.md"),
-    ];
+        // A BOT_ROOT/.env without a corresponding DATA_DIR/.env is a legacy layout
+        // — the loader prefers DATA_DIR, so keeping .env in BOT_ROOT silently
+        // breaks Settings/Setup/Doctor/fallback-order sync.
+        (fs.existsSync(resolve(BOT_ROOT, ".env")) && !fs.existsSync(ENV_FILE))
+            ? resolve(BOT_ROOT, ".env")
+            : "",
+    ].filter(Boolean);
     return legacyIndicators.some(p => fs.existsSync(p));
 }
 /**
@@ -47,6 +53,21 @@ function copyIfNew(src, dest) {
     }
     return false;
 }
+/**
+ * Copy a file if source exists and destination doesn't, then enforce a specific file mode.
+ * Used for files containing secrets (e.g. .env) where 0600 must be guaranteed
+ * regardless of the source file's permissions or the process umask.
+ */
+function copyIfNewWithMode(src, dest, mode) {
+    const copied = copyIfNew(src, dest);
+    if (copied) {
+        try {
+            fs.chmodSync(dest, mode);
+        }
+        catch { /* best effort */ }
+    }
+    return copied;
+}
 /**
  * Recursively copy a directory if source exists and destination doesn't have the files.
  */
@@ -89,6 +110,8 @@ export function migrateFromLegacy() {
             skipped.push(label);
     }
     // ── Single files ─────────────────────────────────────────
+    // .env → .env  (secrets — enforce 0600 mode regardless of source perms)
+    track(".env → .env", copyIfNewWithMode(resolve(BOT_ROOT, ".env"), ENV_FILE, 0o600));
     // SOUL.md → soul.md
     track("SOUL.md → soul.md", copyIfNew(resolve(BOT_ROOT, "SOUL.md"), SOUL_FILE));
     // TOOLS.md → tools.md

package/dist/paths.js

@@ -23,13 +23,22 @@ export const PLUGINS_DIR = resolve(BOT_ROOT, "plugins");
 export const SKILLS_DIR = resolve(BOT_ROOT, "skills");
 /** User skills directory (custom, outside repo) */
 export const USER_SKILLS_DIR = resolve(DATA_DIR, "skills");
-/** .env — Environment config (stays in BOT_ROOT for dev, or DATA_DIR for packaged) */
-export const ENV_FILE = resolve(BOT_ROOT, ".env");
 /** Example/template files (always in repo) */
 export const SOUL_EXAMPLE = resolve(BOT_ROOT, "SOUL.example.md");
 export const TOOLS_EXAMPLE_MD = resolve(BOT_ROOT, "TOOLS.example.md");
 export const TOOLS_EXAMPLE_JSON = resolve(BOT_ROOT, "docs", "tools.example.json");
 // ── Data paths (DATA_DIR = ~/.alvin-bot) ───────────────────────────
+/**
+ * .env — Environment config with secrets (BOT_TOKEN, API keys, etc.)
+ *
+ * Lives in DATA_DIR (outside the code repo) for three reasons:
+ *   1. Defense in depth against accidental commits — secrets never touch BOT_ROOT
+ *   2. Survives `npm update -g` (BOT_ROOT in global installs = node_modules, gets wiped)
+ *   3. Consistent with the loader priority in src/config.ts (DATA_DIR is Priority 1)
+ *
+ * Legacy installs with BOT_ROOT/.env are auto-migrated on first run (see src/migrate.ts).
+ */
+export const ENV_FILE = resolve(DATA_DIR, ".env");
 /** memory/ — Daily logs and embeddings */
 export const MEMORY_DIR = resolve(DATA_DIR, "memory");
 /** memory/MEMORY.md — Long-term curated memory */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "alvin-bot",
-  "version": "4.4.3",
+  "version": "4.4.4",
   "description": "Alvin Bot — Your personal AI agent on Telegram, WhatsApp, Discord, Signal, and Web.",
   "type": "module",
   "main": "dist/index.js",