alvin-bot 4.4.5 → 4.4.6

package/CHANGELOG.md

@@ -2,6 +2,50 @@
 
 All notable changes to Alvin Bot are documented here.
 
+## [4.4.6] — 2026-04-09
+
+### 🐛 Bug Fixes
+
+**`alvin-bot audit` now reads `.env` from `DATA_DIR`** — Before this release, `audit` was a subprocess that never loaded the bot's config: it only inspected `process.env`, which for an ad-hoc CLI invocation is the shell environment, not the bot's actual runtime state. Result: `ALLOWED_USERS` and `WEB_PASSWORD` were always reported as "not set" even when the bot was correctly configured and running. `audit` now calls `dotenv.config({ path: ENV_FILE })` at the start of `runAudit()` so its output matches `alvin-bot doctor` and the actual engine.
+
+**`alvin-bot doctor` no longer hangs indefinitely on missing `.env`** — The CLI's `readline` interface was created eagerly at module load, which made `stdin` readable for the entire process lifetime. Commands like `doctor`, `audit`, `version` that have no interactive prompts would therefore never terminate — even though the `doctor()` function correctly early-returned when `.env` was missing, `node` refused to exit because the event loop still saw stdin as a live resource. Readline is now lazy-created only when `ask()` is actually called. Measured improvement: **doctor with missing .env terminates in 82 ms** (previously: 20+ second hang, often requiring Ctrl+C).
+
+**`validateProviderKey("claude-sdk", …)` no longer false-negatives on Agent SDK auth** — The CLI's Claude check ran `claude auth status` and hard-failed on `loggedIn: false`. But the Claude Agent SDK has multiple auth paths that the CLI doesn't see: `ANTHROPIC_API_KEY` env var, Claude Code IDE sessions, and native-binary session cookies. Real-world example: a bot that was actively answering Telegram messages correctly was reported as "❌ Claude CLI not authenticated" by `doctor`. The validation is now:
+- `ANTHROPIC_API_KEY` set → `ok: true` (immediate pass, CLI irrelevant)
+- `claude` binary present + `auth status: loggedIn: true` → `ok: true`
+- `claude` binary present + `auth status: loggedIn: false` → `ok: true` with a **warning** (the Agent SDK may still work via session / env var; user is advised to run `claude auth login` only if the bot fails to respond)
+- `claude` binary missing → `ok: false` (hard error with install hint)
+
+`doctor` now renders the warning as ⚠️ instead of ❌, making the output match actual behavior.
+
+### ✨ New Feature
+
+**`alvin-bot setup --non-interactive` for CI, Docker, and scripted installs** — The interactive setup wizard was the only way to write `~/.alvin-bot/.env`, which blocked automated provisioning. Now supports flag-driven, non-interactive setup:
+
+```bash
+alvin-bot setup --non-interactive \
+  --bot-token=123456789:AAE... \
+  --allowed-users=12345,67890 \
+  --primary-provider=claude-sdk \
+  --fallback-providers=ollama \
+  --groq-key=gsk_... \
+  --google-key=AIza... \
+  --openai-key=sk-... \
+  --nvidia-key=nvapi-... \
+  --anthropic-key=sk-ant-... \
+  --openrouter-key=sk-or-... \
+  --web-password=... \
+  --platform=telegram \
+  --skip-validation   # optional, skips the live Telegram getMe call
+```
+
+- Refuses to overwrite an existing `.env` (exits 1 with a clear message).
+- Writes with mode `0600`.
+- Validates `--bot-token` format and `--allowed-users` numeric format before writing.
+- Optionally pings Telegram `getMe` unless `--skip-validation` is passed.
+
+`-y` and `--yes` work as aliases for `--non-interactive`.
+
 ## [4.4.5] — 2026-04-09
 
 ### 🔐 Security / Information Disclosure

package/bin/cli.js

@@ -29,8 +29,20 @@ const DATA_DIR = process.env.ALVIN_DATA_DIR || join(homedir(), ".alvin-bot");
 // Init i18n early
 initI18n();
 
-const rl = createInterface({ input: process.stdin, output: process.stdout });
-const ask = (q) => new Promise((r) => rl.question(q, r));
+// Lazy-create the readline interface. If we create it eagerly, stdin becomes
+// "active" and Node refuses to exit even when a command like `doctor` has
+// finished synchronously. Before v4.4.6 this caused `alvin-bot doctor` to
+// hang indefinitely when .env was missing — early-return worked, but the
+// process couldn't terminate. Creating rl only when `ask()` is actually
+// called keeps non-interactive commands (audit/doctor/version/start/stop)
+// terminating cleanly.
+let rl = null;
+const ensureRL = () => {
+  if (!rl) rl = createInterface({ input: process.stdin, output: process.stdout });
+  return rl;
+};
+const closeRL = () => { if (rl) { rl.close(); rl = null; } };
+const ask = (q) => new Promise((r) => ensureRL().question(q, r));
 
 const LOGO = `
   ╔══════════════════════════════════════╗
@@ -164,6 +176,17 @@ async function validateProviderKey(providerKey, apiKey) {
       }
 
       case "claude-sdk": {
+        // The Claude Agent SDK can authenticate through multiple paths that
+        // `claude auth status` does not see:
+        //   1. ANTHROPIC_API_KEY env var (bypasses CLI entirely)
+        //   2. An active Claude Code session (IDE-initiated, not via `auth login`)
+        //   3. Native binary session cookies
+        // Prior to v4.4.6 this check hard-failed on `loggedIn: false` even when
+        // the engine ran fine — confusing users whose bot was actually working.
+        if (process.env.ANTHROPIC_API_KEY) {
+          return { ok: true, detail: "Claude SDK via ANTHROPIC_API_KEY env var" };
+        }
+
         // Find claude binary — check PATH and common locations
         let claudeBin = null;
         try {
@@ -180,10 +203,13 @@ async function validateProviderKey(providerKey, apiKey) {
           }
         }
         if (!claudeBin) {
-          return { ok: false, error: "Claude CLI not installed" };
+          return { ok: false, error: "Claude CLI not installed. Run: curl -fsSL https://claude.ai/install.sh | sh" };
         }
+
+        // Check `claude auth status`. On mismatch, we DON'T hard-fail:
+        // we return a warning so the Agent SDK still gets a chance to run
+        // (it has independent auth paths the CLI doesn't know about).
         try {
-          // Use `auth status` instead of `-p "ping"` — faster and doesn't require a full query
           const authJson = execSync(`${claudeBin} auth status`, {
             stdio: "pipe", timeout: 10000, encoding: "utf-8",
           });
@@ -191,7 +217,11 @@ async function validateProviderKey(providerKey, apiKey) {
           if (authData.loggedIn) {
             return { ok: true, detail: `Claude SDK authenticated (${authData.authMethod || "OK"})` };
           }
-          return { ok: false, error: "Claude CLI not authenticated. Run: claude auth login" };
+          return {
+            ok: true,
+            warning: "Claude CLI reports not logged in, but the Agent SDK may still work via session/env-var. If the bot fails to respond, run: claude auth login",
+            detail: "Claude CLI present (not logged in via `auth status` — Agent SDK may still work)",
+          };
         } catch (err) {
           const msg = err.stdout?.toString() || err.stderr?.toString() || err.message || "";
           // Try parsing JSON from stdout (auth status exits with code 1 when not logged in)
@@ -201,7 +231,11 @@ async function validateProviderKey(providerKey, apiKey) {
               return { ok: true, detail: `Claude SDK authenticated (${authData.authMethod || "OK"})` };
             }
           } catch {}
-          return { ok: false, error: "Claude CLI not authenticated. Run: claude auth login" };
+          return {
+            ok: true,
+            warning: "Claude CLI `auth status` failed. Agent SDK may still work via session/env-var. If the bot fails to respond, run: claude auth login",
+            detail: "Claude CLI present (auth status check failed — Agent SDK may still work)",
+          };
         }
       }
 
@@ -298,9 +332,148 @@ async function runPostSetupValidation(providerKey, apiKey, botToken, webPort) {
   return allGood;
 }
 
+// ── Setup: Argument Parsing ─────────────────────────────────────────────────
+
+/**
+ * Parse `alvin-bot setup --non-interactive` style CLI args.
+ * Returns a flat object with the values found (or null for unset fields).
+ *
+ * Supports both `--flag=value` and `--flag value` syntax.
+ */
+function parseSetupArgs(argv) {
+  const args = {};
+  const flags = new Set(["--non-interactive", "-y", "--yes", "--skip-validation"]);
+  const valueFlags = [
+    "--bot-token", "--allowed-users", "--primary-provider",
+    "--groq-key", "--google-key", "--openai-key", "--nvidia-key",
+    "--openrouter-key", "--anthropic-key",
+    "--fallback-providers", "--web-password", "--platform",
+  ];
+  for (let i = 3; i < argv.length; i++) {
+    const a = argv[i];
+    if (flags.has(a)) {
+      args[a.replace(/^-+/, "")] = true;
+      continue;
+    }
+    for (const vf of valueFlags) {
+      if (a === vf) {
+        args[vf.replace(/^-+/, "")] = argv[++i];
+        break;
+      }
+      if (a.startsWith(vf + "=")) {
+        args[vf.replace(/^-+/, "")] = a.slice(vf.length + 1);
+        break;
+      }
+    }
+  }
+  return args;
+}
+
+/**
+ * Non-interactive setup path for CI/Docker/automation.
+ *
+ * Writes ~/.alvin-bot/.env directly from CLI args, with no prompts.
+ * The bot's own `ensureDataDirs()` + `seedDefaults()` handle the rest
+ * on the next `alvin-bot start`.
+ *
+ * Usage:
+ *   alvin-bot setup --non-interactive \
+ *     --bot-token=123:AAE... \
+ *     --allowed-users=12345,67890 \
+ *     --primary-provider=claude-sdk \
+ *     --groq-key=gsk_... \
+ *     --fallback-providers=groq,ollama
+ */
+async function setupNonInteractive(args) {
+  console.log("🤖 Alvin Bot — Non-interactive setup\n");
+
+  // Ensure DATA_DIR exists (will also be recreated on bot start, but we
+  // need it now to write the .env).
+  if (!existsSync(DATA_DIR)) {
+    mkdirSync(DATA_DIR, { recursive: true });
+    console.log(`✓ Created ${DATA_DIR}`);
+  }
+
+  const envFile = resolve(DATA_DIR, ".env");
+  if (existsSync(envFile)) {
+    console.log(`⚠️  ${envFile} already exists — refusing to overwrite.`);
+    console.log(`   Delete it manually first, or edit it directly.`);
+    process.exit(1);
+  }
+
+  // Validate required fields
+  const token = args["bot-token"];
+  if (token && !/^\d+:[A-Za-z0-9_-]+$/.test(token)) {
+    console.log(`❌ --bot-token format invalid. Expected: 123456789:ABCdef...`);
+    process.exit(1);
+  }
+  const users = args["allowed-users"];
+  if (users) {
+    const ids = users.split(",").map(s => s.trim());
+    const bad = ids.filter(id => !/^\d+$/.test(id));
+    if (bad.length > 0) {
+      console.log(`❌ --allowed-users must be comma-separated numeric IDs. Got invalid: ${bad.join(", ")}`);
+      process.exit(1);
+    }
+  }
+
+  // Optional: validate token with Telegram API unless --skip-validation
+  if (token && !args["skip-validation"]) {
+    const tgResult = await validateTelegramToken(token);
+    if (tgResult.ok) {
+      console.log(`✓ Telegram: ${tgResult.botName}`);
+    } else {
+      console.log(`⚠️  Telegram token validation failed: ${tgResult.error}`);
+      console.log(`   Writing .env anyway. Pass --skip-validation to suppress this warning.`);
+    }
+  }
+
+  const primary = args["primary-provider"] || "groq";
+  const fallbacks = args["fallback-providers"] || "";
+  const platform = args["platform"] || "telegram";
+
+  const envLines = [
+    "# === Telegram ===",
+    `BOT_TOKEN=${token || ""}`,
+    `ALLOWED_USERS=${users || ""}`,
+    "",
+    "# === AI Provider ===",
+    `PRIMARY_PROVIDER=${primary}`,
+    `FALLBACK_PROVIDERS=${fallbacks}`,
+    "",
+    "# === API Keys ===",
+  ];
+  if (args["groq-key"])       envLines.push(`GROQ_API_KEY=${args["groq-key"]}`);
+  if (args["google-key"])     envLines.push(`GOOGLE_API_KEY=${args["google-key"]}`);
+  if (args["openai-key"])     envLines.push(`OPENAI_API_KEY=${args["openai-key"]}`);
+  if (args["nvidia-key"])     envLines.push(`NVIDIA_API_KEY=${args["nvidia-key"]}`);
+  if (args["openrouter-key"]) envLines.push(`OPENROUTER_API_KEY=${args["openrouter-key"]}`);
+  if (args["anthropic-key"])  envLines.push(`ANTHROPIC_API_KEY=${args["anthropic-key"]}`);
+  envLines.push("");
+  envLines.push("# === Agent ===");
+  envLines.push("WORKING_DIR=" + homedir());
+  envLines.push("MAX_BUDGET_USD=5.0");
+  envLines.push("WEB_PORT=3100");
+  if (args["web-password"]) envLines.push(`WEB_PASSWORD=${args["web-password"]}`);
+  envLines.push("");
+  envLines.push("# === Platforms ===");
+  envLines.push(`WHATSAPP_ENABLED=${platform === "whatsapp" ? "true" : "false"}`);
+
+  writeFileSync(envFile, envLines.join("\n") + "\n", { mode: 0o600 });
+  console.log(`✓ Wrote ${envFile} (mode 0600)`);
+  console.log(`\n✅ Setup complete. Start the bot with: alvin-bot start\n`);
+}
+
 // ── Setup Wizard ────────────────────────────────────────────────────────────
 
 async function setup() {
+  // Non-interactive path for CI/automation/scripted installs.
+  const args = parseSetupArgs(process.argv);
+  if (args["non-interactive"] || args["yes"] || args["y"]) {
+    await setupNonInteractive(args);
+    return;
+  }
+
   console.log(LOGO);
 
   // ── Prerequisites
@@ -318,7 +491,7 @@ async function setup() {
 
   if (!hasNode) {
     console.log(`\n❌ ${t("setup.nodeRequired")}`);
-    rl.close();
+    closeRL();
     return;
   }
 
@@ -337,7 +510,7 @@ async function setup() {
     console.log(`  Get one from @BotFather on Telegram.\n`);
     const proceed = (await ask(`  Continue anyway? (y/n): `)).trim().toLowerCase();
     if (proceed !== "y" && proceed !== "yes" && proceed !== "j" && proceed !== "ja") {
-      rl.close();
+      closeRL();
       return;
     }
   }
@@ -381,7 +554,7 @@ async function setup() {
         console.log(`  Send /start to @userinfobot on Telegram to get your numeric ID.\n`);
         const proceed = (await ask(`  Continue anyway? (y/n): `)).trim().toLowerCase();
         if (proceed !== "y" && proceed !== "yes" && proceed !== "j" && proceed !== "ja") {
-          rl.close();
+          closeRL();
           return;
         }
       }
@@ -759,7 +932,7 @@ async function setup() {
       console.log(`\n  ❌ ${t("setup.buildFailed")}`);
       console.log(`  The bot cannot start without a successful build.`);
       console.log(`  Try running 'npm run build' manually to see the error.\n`);
-      rl.close();
+      closeRL();
       return;
     }
   }
@@ -804,7 +977,7 @@ Bot commands:
 ${t("setup.haveFun")}
 `);
 
-  rl.close();
+  closeRL();
 }
 
 // ── Doctor ──────────────────────────────────────────────────────────────────
@@ -866,7 +1039,10 @@ async function doctor() {
 
     console.log(`  Validating ${primary}...`);
     const result = await validateProviderKey(primary, key);
-    if (result.ok) {
+    if (result.ok && result.warning) {
+      console.log(`  ⚠️  ${primary} — ${result.detail}`);
+      console.log(`     ${result.warning}`);
+    } else if (result.ok) {
       console.log(`  ✅ ${primary} — ${result.detail}`);
     } else {
       console.log(`  ❌ ${primary} — ${result.error}`);

package/dist/services/security-audit.js

@@ -1,11 +1,19 @@
 import fs from "fs";
 import { execSync } from "child_process";
-import { resolve } from "path";
-import { DATA_DIR } from "../paths.js";
+import dotenv from "dotenv";
+import { DATA_DIR, ENV_FILE } from "../paths.js";
 export function runAudit() {
     const checks = [];
+    // `alvin-bot audit` runs in its own process (outside the main bot) and
+    // does NOT go through src/config.ts, so process.env is empty by default.
+    // We must load the .env ourselves or ALLOWED_USERS/WEB_PASSWORD checks
+    // will always report as "not set" — which silently contradicts the bot's
+    // actual runtime state (a bug up to v4.4.5).
+    if (fs.existsSync(ENV_FILE)) {
+        dotenv.config({ path: ENV_FILE });
+    }
     // 1. .env file permissions
-    const envFile = resolve(DATA_DIR, ".env");
+    const envFile = ENV_FILE;
     if (fs.existsSync(envFile)) {
         const stat = fs.statSync(envFile);
         const mode = (stat.mode & 0o777).toString(8);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "alvin-bot",
-  "version": "4.4.5",
+  "version": "4.4.6",
   "description": "Alvin Bot — Your personal AI agent on Telegram, WhatsApp, Discord, Signal, and Web.",
   "type": "module",
   "main": "dist/index.js",